Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43437
  • Total Topics: 16531
  • Online today: 3056
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 3
Guests: 2931
Total: 2934









Author Topic: Microsoft gives temporary fix for ASP.Net vulnerability  (Read 4247 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Microsoft gives temporary fix for ASP.Net vulnerability
« on: 21. September 2010., 08:04:43 »


Microsoft has issued a temporary fix for a cryptographic weakness in widely used web development software that allows attackers to read password files and other sensitive data.

The workaround issued late Friday addresses what is known as a “cryptographic padding oracle” in ASP.Net, a series of web development programs that run on top of Microsoft's Internet Information Services, or IIS: http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx
The weakness, which was demonstrated last week at the Ekoparty conference in Argentina, makes it possible for outsiders to read or tamper with sensitive data that is supposed to remain encrypted.

In cryptography parlance, an oracle is something that unintentionally reveals subtle clues about the encrypted contents. The vulnerability in ASP.Net can be exploited by sending a server huge numbers of queries and then analyzing the differing error messages that result. By repeating the process over and over, attackers can read the ASP.Net View State, which is used to keep track of changes made to web forms. The View State page, which can be used to store passwords, database connection strings and other sensitive data, is supposed to remain unreadable.

By tricking ASP.Net into revealing hints about the padding used to encrypt the data, attackers can eventually read or tamper with encrypted data sitting on a server running the web applications.

Microsoft on Friday acknowledged the vulnerability and said its security team was working on a patch that would plug the information disclosure hole: http://www.microsoft.com/technet/security/advisory/2416728.mspx

In the meantime, ASP.Net users should run a script that will identify whether their systems are vulnerable. Systems that test positive should be reconfigured so that all error messages are mapped to a single error page that prevents the attacker from distinguishing among different types of errors, effectively muzzling the oracle.

Researchers Thai Duong and Juliano Rizzo last week demonstrated a point-and-click tool called POET, short for Padding Oracle Exploitation Tool, that has been updated to decrypt cookies, view states, form authentication tickets, and other sensitive data encrypted by ASP.Net. The video below provides a demonstration of the attack.

(ElReg)

Samker's Computer Forum - SCforum.info

Microsoft gives temporary fix for ASP.Net vulnerability
« on: 21. September 2010., 08:04:43 »

.:Ankur:.

  • SCF Member
  • **
  • Posts: 17
  • KARMA: 6
Re: Microsoft gives temporary fix for ASP.Net vulnerability
« Reply #1 on: 21. September 2010., 16:18:01 »
thx for info for coders like us  :)

bugmenot

  • SCF Member
  • **
  • Posts: 33
  • KARMA: 2
Re: Microsoft gives temporary fix for ASP.Net vulnerability
« Reply #2 on: 19. October 2010., 09:52:58 »
i like php

Samker's Computer Forum - SCforum.info

Re: Microsoft gives temporary fix for ASP.Net vulnerability
« Reply #2 on: 19. October 2010., 09:52:58 »

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023