Software architect and Microsoft MVP, you’ll usually find me writing about security concepts and process improvement in software delivery.
You’ve gotta feel a bit sorry for Scott Guthrie. Microsoft’s developer division VP normally spends his time writing about all the great new work his team is doing and basking in the kudos of loyal followers. But not this weekend. Unfortunately his latest post has been all about repeating the same dire message; ASP.NET has a major security flaw posing a critical vulnerability to millions of websites. Actually that’s putting it nicely; much of the feedback on the web is a little blunter talking about the vulnerability totally destroying ASP.NET security. Ouch.
Actually, it’s not so much the fact he had to write the post that makes me feel sorry for him, it’s that he has to continually respond to the same questions from (understandably) fearful, worried customers. It’s not surprising, the vulnerability is a little abstract to understand and the potential ramifications are rather scary. Furthermore, the mitigations he has recommended – namely around errors handling – probably seem a little obscure.
This is an issue which is quite possibly going to consume a bit of my time in the coming weeks so I thought I’d start out right now by explaining what the vulnerability is, what remediation is required and most importantly, actually show how they mitigate the problem. It’s this last point that I don’t think Scott quite captured and I suspect that’s why there is so much uncertainty now.
Sep 25th Update: I’ve also written about Why sleep is good for your app’s padding oracle
Sep 29th update: The patch and how to test for it in Do you trust your hosting provider and have they really installed the padding oracle patch?
The exploit in action
Let’s start out with a bang. Just in case you haven’t already heard about the exploit or seen what it can do, watch this before reading any further. This was demonstrated at the Ekoparty conference in Argentina a few days ago:
What just happened? In short, there were three simple steps:
- The ciphertext appended to a web resource request was retrieved from the HTML source of the page. This is effectively an encrypted version of the resource identifier. It’s the algorithm behind this encryption the exploit sets out to break.
- The Padding Oracle Exploit Tool (or POET) is given the URL of the site and the ciphertext from step 1. It then sets out to break the algorithm used in the encryption process. This is the heart of what the exploit is all about.
- The exploited algorithm is then used to create a new, encrypted cookie with super user rights to the DotNetNuke instance in the attack. This cookie is then simply added to the browser granting the attacker all the rights they could desire over the target site.
This particular example goes on to load a malicious payload into the server allowing command line access from the UI but the damage was really done in step 3. In very simple terms, the exploit allows normally secure artefacts generated by the server to be decrypted and forged.
What’s all this got to do with Oracle?
No, not Oracle, oracle. More specifically, it’s about the oracle used against padding which in cryptography is all about discovering how encrypted versions of plain text strings are padded out to fit neatly in eight bytes. There’s a fantastic overview of how this works in Automated Padding Oracle Attacks with PadBuster if you want to understand it in depth, I’m just going to distil this to the basics. This info is almost entirely from the post in the previous sentence (as is the first image I’ve borrowed), so all credit to those guys. No guarantees on me getting all of this 100% right but hopefully the gist of it will come through ok.
Imagine every encrypted string has to consume a multiple of eight bytes of data. In order to do this, different amounts of padding are required for different string lengths:
One thing you’ll notice is that each padding byte represents the total number of bytes in the padding. For example, FIG has five padding bytes of 0x05. If the encrypted version of FIG contained five bytes of padding that weren’t all 0x05, the server would throw an error when it went to decrypt it. In short, the response of the server can disclose if the encrypted value is correctly padded or not. From the link above, this is called a padding oracle because:
The term oracle refers to a mechanism that can be used to determine whether a test has passed or failed.
Here’s where it gets interesting; if an encrypted string can be passed to the server and its response can tell you whether the padding is valid or not, the request can be manipulated to continually change the bytes in the request and reissue them to the server until a successful response is returned. The bytes this technique manipulates are contained in the initialisation vector (IV) which is the eight bytes preceding the encrypted string. Each byte is then used in the decryption algorithm so it’s pivotal to successfully decrypting the string.
If the IV can be manipulated until it resolves the corresponding encrypted byte to the appropriate padding value and the server confirms this by not returning an error, the process can be repeated for each byte of the IV until all eight are known. The IV can then be used to decrypt the remaining ciphertext. A similar process can be used to encrypt a new string.
This exploit isn’t actually new; it was reported eight years back by the Swiss. What is new is the way it’s been applied against ASP.NET and the fact this particular attack vector has now been published.
What can you do with this?
An awful lot, unfortunately. The obvious answer is you can decrypt any encrypted strings accessible to the client which means query strings, hidden form fields and cookies. The other problem is that because you can use the above mechanism to encrypt data, you can roll your own cookies. The DotNetNuke exploit in the video works because a perfectly valid cookie indicating the client is a super user could be forged and passed to the server with it being none the wiser. This isn’t a DotNetNuke vulnerability, it could conceivably occur with any ASP.NET site which implements authentication.
But there’s another exploit which Scott touches on in his post without going into too much detail; the web.config can be downloaded.
The attack that was shown in the public relies on a feature in ASP.NET that allows files (typically javascript and css) to be downloaded, and which is secured with a key that is sent as part of the request. Unfortunately if you are able to forge a key you can use this feature to download the web.config file of an application (but not files outside of the application).
Although I can’t find any specific references to it, I believe what Scott’s referring to is the ability to use web resources with a forged resource ID which rather than pointing to the usual JavaScript or CSS, instead points to another resource in the app. From the Working with Web Resources page:
The URL for WebResource.axd looks like the following:
WebResource.axd?d=SbXSD3uTnhYsK4gMD8fL84_mHPC5jJ7lfdnr1_WtsftZiUOZ6IXYG8QCXW86UizF0&t=632768953157700078
The format of this URL is WebResource.axd?d=encrypted identifier&t=time stamp value. The "d" stands for the requested Web Resource. The "t" is the timestamp for the requested assembly, which can help in determining if there have been any changes to the resource.
You can see how this is an appended query string value and as the video earlier showed, these requests simply return the resource in its entirety.
What’s vulnerable?
Basically any ASP.NET based products including obviously ASP.NET websites and DotNetNuke but also SharePoint and ASP.NET MVC. Of course this also extends to products like Umbraco that are offerings on top of the framework.
Mitigation
Scott makes two recommendations from which a lot of confusion then flows:
- Enable custom errors with response rewriting and a single error page for all error types.
- Add a random sleep delay to the error page.
On the surface of it, these seem like rather odd ways of addressing a cryptography vulnerability, but there’s method in the madness. Both these recommendations are designed to obfuscate the fact a server error has occurred. If the attacker is not being told when their manipulated IV is causing an error versus when it’s passing through successfully, the ability to exploit the vulnerability is severely hobbled.
Managing server errors
Let’s look at how using a single custom errors page helps the situation. I’ve created a standard web app with all the usual, out of the box settings and configured an IIS website against it on port 85. By default, the following JavaScript is embedded in the page (we don’t have to use a web resource file, the same logic applies to any other resource executing on the server):
<script src="/WebResource.axd?d=8KdqlbnKlEkJNojRMjxtSxbXkp67u-rzhy_VoqsYA901&t=634200755509128189" type="text/javascript"></script>
Now, if I manipulate the resource ID (the “d” query string value) and reissue the request and monitor the response with Fiddler, here’s what I see:
By returning a 500 response code, IIS has just confirmed the server has thrown an error. Now let’s make the first change Scott recommended, namely creating a dedicated error page with response writing as the redirect mode and adding it as the default redirect in the custom errors node:
Now we’re getting a 200 response which for all intents and purposes means it was a successful request, at least as far as the headers go. You’ll also see the requested URL is the web resource page and not the error page. This is actually one important point that wasn’t fully explained in Scott’s post; it’s important the redirect mode is set to “ResponseRewrite”. If not, the default “ResponseRedirect” value will be applied and here’s what will happen:
Now we’re getting an HTTP 302 redirect which then asks the browser to make a separate request for “Error.aspx?aspxerrorpath=/WebResource.axd”. This pretty much gives the game away and confirms that an error has been thrown as a result of the request. By rewriting the request the error page is returned in the initial response which caused the server error rather than in a subsequent response.
Some people have asked if just turning custom errors on by specifying <customErrors mode="On" /> is sufficient. Unfortunately, it’s not and here’s why:
Obviously this once again exposes the HTTP 500 response code so although it has the advantage of not exposing the specific internal error, it still indicates the request has failed.
The other things Scott asks you to configure in the custom errors (or rather not configure), is different error pages for different error codes. A lot of people have asked what this means for their custom 404 page not found error pages, often used to provide a functional value to the user (ie. an external link points to a now defunct page). Here’s his message, repeated many, many times:
One of the ways this attack works is that looks for differentiation between 404s and 500 errors. It can use this differentiation to try out potential keys (typically over tens of thousands of requests). Always returning the same HTTP code and sending them to the same place is one way to help block it.
I haven’t seen the attack Scott talks about in practice but what’s obvious is that it’s looking for particular resources within the application. Not returning 404 page not found obfuscates the fact the resource doesn’t actually exist from automated attacks. Yes, it has a usability impact and possibly other issues beyond that (search engine crawlers, perhaps?), but he’s consistently emphatic about avoiding this particular response code so there’s obviously something in it.
Sep 20th update: the 404 risk is that if the padding oracle exploit is attempted against the resource ID in the WebResource.axd file and the manipulated IV is correct in the context of the ciphertext but the resource doesn’t exist (hence the 404), the same response is returned as if the IV was invalid. This makes the gradual incrementing of each IV byte and using the response as a success measure pointless as the response is always the same whether the byte is valid or not. The only way a 500 server error wouldn’t be returned using Scott’s recommendations is if the resource ID is correct and a valid resource is found.
Having a little sleep
The other recommendation Scott makes is to add a small, random sleep to the error page. Essentially what he’s suggesting is obfuscation of the error page load time in order to avoid establishing a pattern which could be used to identify when an error response is being returned. This is often referred to as a “remote timing” attack.
I know what you’re thinking; does adding a few milliseconds here or there really improve the security of my app? Quite a lot has been written on this subject, Exploiting remote timing attacks is but one example of many resources which talks about the practice. If you really want endorsement of why Scott’s suggestion has some merit, here’s an interesting tweet from one of the duo who produced the video:
And if there’s no big timing difference? I’m sure there’s still a way but its one more layer of defence. And it’s free.
Summary
I would have liked to have gone into this vulnerability a lot deeper. I’ve not successfully run the exploit and have instead spent the day reading and absorbing information. I’ve seen enough today to be convinced this exploit poses a serious risk and that alone is worth writing about, particularly in terms of shedding some light on the rationale behind The Gu’s recommendations.
This is one of those “first thing Monday morning” type of vulnerabilities. As the word has spread over the last couple of days and the impact has begun to sink in, there’s going to be a lot of devs arriving at the office tomorrow morning with some work to do. If you’re responsible for any ASP.NET website and you’re not making some pretty speedy changes tomorrow morning, your site may just be one of the first sites compromised by this exploit.
Scott makes multiple mentions of a patch coming from Microsoft but is very non-committal on exactly when we’ll see it. We also don’t know what form the patch will take; will it be patch to the framework requiring a server install and all the governance (and lead time) that goes along with it? Or will it mean re-deployment of apps? One thing’s for sure, it will require some legwork and getting started on the mitigation early by following his guidance is the only smart thing to do at this stage.
We live in interesting times.
30 comments:
I believe the use of ResponseRewrite is to give a random <=256ms of sleep time to any error response. This protects against timing oracles. I don't believe it's anything to do with hiding the padding oracle.
Why else would the recommendation be for ASP.Net <=3.5RTM to 302 Redirect to error.html?
I don't believe ResponseRewrite has any built in random latency, hence Scott's manual implementation of a random thread sleep. But you're right, it's not directly related to the padding oracle in that it obfuscates the fact that any error is thrown, including where invalid IVs have been passed back to the server.
The redirectMode attribute was only introduced in ASP.NET 3.5 SP1 so the only option is 302: http://msdn.microsoft.com/en-us/library/h0hfz6fc(v=VS.90).aspx
Of course this means that if I'm correct in saying disclosure of a 302 is proof of a server error, this makes earlier versions of the framework more vulnerable to the exploit.
Another problem is that when you know the contents of the error page, you basically still have a padding oracle. It just takes more bandwidth and parsing to succesfully make that conclusion.
Also, when you know the content type of the resource you're requesting (text/javaScript vs text/html) you can check the headers to conclude whether an error has occurred or not.
So these reccomendations make it harder to exploit this vulnerability, but don't make it impossible.
A dependency on the response body not only has the bandwidth and time impact (consider the 38,000 enumerations in the video), you actually need to know what pattern to look for in the markup. This requires some per-site effort and probably moves the app out of the "low hanging fruit" category.
I realised as I posted the blog the content type was a bit of a giveaway, although a web resource file could conceivably return a legitimate text/html doc. Of course if the ciphertext is extracted from a web resource which is the source of a script tag the behaviour is a little more predictable.
Contrary to Scott's post, I suggest the recommended remediation doesn't PREVENT the vulnerability, rather it MITIGATES it. It may be a bit semantic but I don't think people should be enjoying a false sense of security on this one.
Fantastic post! I think I'll need to re-read a couple times before it fully sinks in.
Say I've got an ASP.NET MVC site that has no need for the WebResource.axd and ScriptResource.axd httphandlers. Would it make sense to remove them? Assuming yes, does that prevent the vulnerability or just mitigate it?
Thanks again for such a deep dive on the topic!
This is an excellent write up. It explains the problem in just the right amount of detail. Well done Troy.
Am I missing something? If IIS is enforcing authentication, either basic or "integrated," how can someone post to the WebResource.axd without valid credentials?
Great Description of what this is all about - in language that non-hackers understand
Thanks for posting this detailed write-up on the exploit!
I fail to see why the ResponseRewrite is necessary. If the difference that they are looking for is the 404 vs 500, and BOTH result in a Response.Redirect to the error page, how are we giving anything away?
That, and ResponseRewrite doesn't work on MVC if using an Error controller instead of a static page...
Peter, it seems that the risk exceeds just WebResource.axd. The same encryption algorithm is used in view state and cookies. Just removing the web resources file isn't enough.
Anonymous 1, this issue is entirely autonomous of authentication. The exploit only needs the ciphertext and be able to pass a manipulated version back to the server and observe the response. That said, if the entire app disallows anonymous access, I'm not sure where in the page lifecycle cryptography comes into play versus authorisation. It's a good question!
Anonymous 2, response rewriting gives you the ability to introduce the random sleep period to the initial request. Response redirect means the resource with the error sends an immediate response to the browser after which it makes a separate request to the error page. The difference in these two models means a timing attack can be used as a side channel i.e. not rewriting the response allows you to see exactly how long each error took to execute and allow you to deduce the error type based on duration. The lack of response rewriting in versions prior to ASP.NET3.5 SP1 is why these apps are more vulnerable than the newer version.
Great write up, really helped fill in the gaps left by Scott's post.
We have been trying out the workaround recommended by Microsoft and came across something interesting. If you implement the work around and get your custom errors working as suggested these can be bypassed by just adding ?aspxerrorpath=something to your url. This really renders the workaround useless.
Some examples of this:
http://www.microsoft.com/pagethatdoesnotexist.aspx?aspxerrorpath=breakme
http://www.microsoft.com/webresource.axd?d=1sdsdf9786f2s&aspxerrorpath=breakme
If you remove the aspxerrorpath query string you get the nice custom error again.
I don't think that's the way the attack is happening. From what I've gathered they can't sign an auth cookie / can't get to the actual keys with the exploit.
The actual keys are being obtained by combining the exploit with the exploit + an additional vulnerability that allows them to get the web.config, without the ability to sign anything. In the dotnetnuke default install the keys are in the web.config, so that's how they grab it (not the only product/site that puts those keys there).
I just blogged about it here: http://eglasius.blogspot.com/2010/09/aspnet-padding-oracle-how-it-relates-to.html
@Andy does that allow you to tell the different from valid vs. invalid padding when an error is handled? Work around is to hide that, not to hide that an error occurred.
Andy, that's an interesting find. I can reproduce that on sites with both response redirection AND response rewriting. Interestingly though, it doesn't break on Scott Gu's page so not sure what's different with the weblogs.asp.net configuration: http://weblogs.asp.net/scottgu/pagethatdoesnotexist.aspx?aspxerrorpath=breakme
In the tests I just did, the invalid aspxerrorpath returns 404 when the underlying error was 404 and 500 when the underlying error was 500 regardless of custom error configuration. This is a good one to investigate further I think.
Freddy, agree re the exploit not getting to the actual keys by way of manipulating padding. It's about deducing encrypted values based on the validity of the padding and the response from the server. Conversely, encrypted values can be recreated without the keys which is what happens in the DNN video when a cookie with super user rights is created. Would you agree with that?
I think I understand what you're saying re the web.config keys; the initial padding oracle exploit can be used to request arbitrary resources (using the web resource file as a proxy) such as the web.config which COULD hold keys (and does in the DNN instance).
To your question to Andy, given valid padding returns 404 and invalid padding returns 500 then yes, his vector has the potential to disclose the difference between the two.
Hi, Troy, interesting post. I missed yours when I, like a zillion other guys, got an e-mail notifying me these clowns had done what they did. I'm glad I found it as I'd missed the redirectMode="ResponseRewrite" attribute that needs to be added to the customErrors tag in web.config. As you point out, without the rewrite, a padding oracle attack can easily distinguish between an error and a successful load of URL sent just by seeing two instead of one response header.
Also, well, dang you for pointing out the aspxerrorpath= query string. I DID NOT need to know that! The week has been long enough already! :-)
re "Conversely, encrypted values can be recreated without the keys which is what happens in the DNN video when a cookie with super user rights is created. Would you agree with that?"
What they actually did was hidden by poet.py. I don't think that's the case as it doesn't match the descriptions of the attack, including the one in their site.
I go into this in my post, but the issue is that the ability to encrypt modified messages they gain isn't the same as if they had the keys. Specifically it won't pass a signature check.
I can't really confirm it, but I strongly believe in poet.py they are actually using the scriptresource weakness to retrieve the web.config and thus the keys.
re bypassing the workaround as mentioned by Andy: wow, that's awful! its weird as aspxerrorpath is just supposed to be the page where the error occurred, shouldn't be impacting how the error is handled. I'll have to take a look :(
I wrote an HttpModule-based solution to the padding oracle exploit. The project is up at sws.codeplex.com and licensed under Apache 2. Right now, it's got 2 main features relating to the padding oracle expoit:
1) It stores FormsAuthenticationCookie and FormsAuthenticationTicket information on the server at the time the ticket is issued. It uses this information to strengthen ticket validation... a LOT. Even if your machine keys are compromised, nobody can create a FormsAuthenticationCookie that will pass validation.
2) It detects & prevents certain known padding oracle attack vectors (CryptographicException's on .axd requests) -- returns 200 codes where 404's or 500's are expected & introduces delays to the response.
sws.codeplex.com / www.sholo.net for more info
-Scott
Freddy, thanks for the feedback and I enjoyed reading the info in your post. I guess at this stage we can't do much more than speculate about precisely what's happening inside the POET example. I'm not sure whether or not maliciously encrypted data would pass a signature check, but certainly the ability to create new ciphertext accepted by the app at will appears to be there.
You're probably already aware of this, but for the aspxerrorpath=breakme issue, Scott Guthrie posted a solution:
--------------------------------------
Install and Enable IIS URLScan with a Custom Rule
If you do not already have the IIS URLScan module installed on your IIS web server, please download and install it (links removed - see his blog).
It takes less than a minute to install on your server.
Add an Addition URL Scan Rule
Once URLScan is installed, please open and modify the UrlScan.ini file in this location:
* %windir%\system32\inetsrv\urlscan\UrlScan.ini
Near the bottom of the UrlScan.ini file you’ll find a [DenyQueryStringSequences] section. Add an additional “aspxerrorpath=” entry immediately below it and then save the file:
[DenyQueryStringSequences]
aspxerrorpath=
The above entry disallows URLs that have an “aspxerrorpath=” querystring attribute from making their way to ASP.NET applications, and will instead cause the web-server to return an HTTP error. Adding this rule prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.
After saving this change, run “iisreset” from a command prompt (elevated as admin) for the above changes to take effect. To verify the change has been made, try accessing a URL on your site/application that has a querystring with an aspxerrorpath and verify that an HTTP error is sent back from IIS.
Thanks Kirk, yeah, I saw this pop up on Saturday. One more thing to add to the list!
Something that did worry me a little when this advice first came up was the potential broader ramifications to any apps running on the machine. Earlier today Phil Haack made a post which I think is a good cautionary tale: UrlScan Broke My Blog: http://haacked.com/archive/2010/09/26/url-scan-broke-my-blog.aspx
IMHO, this is not an "install and forget" process. A bit more diligence will be required.
I have added the UrlTokenEncoder / Decoder to Padbuster. I also published a post on our blog to better explain the 404 vs 500 issue in .NET Ajax handlers.
http://blog.mindedsecurity.com/2010/09/investigating-net-padding-oracle.html
Just read your post Giorgio, really interesting info and helps dispel some myths about what's happening under the covers. Great work!
Hi all, this is a fast update to the previous post. Here I'll try to explain in detail how the attack work, for downloading files remotely:
http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
Giorgio
Just read your post Giorgio, really interesting info and helps dispel some myths about what's happening under the covers. Great work!
You're probably already aware of this, but for the aspxerrorpath=breakme issue, Scott Guthrie posted a solution:
--------------------------------------
Install and Enable IIS URLScan with a Custom Rule
If you do not already have the IIS URLScan module installed on your IIS web server, please download and install it (links removed - see his blog).
It takes less than a minute to install on your server.
Add an Addition URL Scan Rule
Once URLScan is installed, please open and modify the UrlScan.ini file in this location:
* %windir%\system32\inetsrv\urlscan\UrlScan.ini
Near the bottom of the UrlScan.ini file you’ll find a [DenyQueryStringSequences] section. Add an additional “aspxerrorpath=” entry immediately below it and then save the file:
[DenyQueryStringSequences]
aspxerrorpath=
The above entry disallows URLs that have an “aspxerrorpath=” querystring attribute from making their way to ASP.NET applications, and will instead cause the web-server to return an HTTP error. Adding this rule prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.
After saving this change, run “iisreset” from a command prompt (elevated as admin) for the above changes to take effect. To verify the change has been made, try accessing a URL on your site/application that has a querystring with an aspxerrorpath and verify that an HTTP error is sent back from IIS.
I wrote an HttpModule-based solution to the padding oracle exploit. The project is up at sws.codeplex.com and licensed under Apache 2. Right now, it's got 2 main features relating to the padding oracle expoit:
1) It stores FormsAuthenticationCookie and FormsAuthenticationTicket information on the server at the time the ticket is issued. It uses this information to strengthen ticket validation... a LOT. Even if your machine keys are compromised, nobody can create a FormsAuthenticationCookie that will pass validation.
2) It detects & prevents certain known padding oracle attack vectors (CryptographicException's on .axd requests) -- returns 200 codes where 404's or 500's are expected & introduces delays to the response.
sws.codeplex.com / www.sholo.net for more info
-Scott
Returning a 200 status code instead of the proper code (500/404/etc) will cause SEO problems.
Interesting point, although will that only be an issue in contexts where an error is thrown? Is the worst case that a page may be indexed in its' error state rather than when displaying the intended content?
I think that the worst case scenario would be having all 404s indexed as actual content on a given site. This could have negative effects on ranking since the site might be seen as having massive amounts of duplicate content. While it isn't great if the page throws a 500 while being indexed the page needs to at least inform the crawler that an error has occurred.
For this particular issue is there a specific exception type that is thrown? If so then the error page could set 200 for this particular attack and a proper status code for all other errors.
Now that we're 18 months down the road from the original issue and everyone should be patched, those response codes really aren't an issue any more in terms of the original vulnerability.
Incidentally, there's a good read about configuring SEO friendly error pages in ASP.NET here: http://forums.asp.net/t/1563128.aspx
Post a Comment