Two investigative hackers – or security researchers as they prefer to be known – presented a way to break Microsoft´s ASP.NET cookies-based security at an IT security conference held in Buenos Aires. Hundreds of thousands of sites might be at risk and the Vole is not pleased. Here are the details and reactions.
Ekoparty 2010 – Photo by Luiz Eduardo
Ekoparty – short for Electronic Knock Out Party – dubs itself as “Latin America’s most important security conference” and is held yearly in Buenos Aires. It includes hacking, 0day vulnerability disclosures, and this year even sessions on lock-picking and forensics. As its 6th edition came to pass, by Saturday noon after they got over the hangover, Twitter was already abuzz with references to this year’s presentations with many focusing on a newly disclosed 0-day vulnerability in Microsoft’s ASP.NET. We saw tons of jokes about why the DotNetNuke site was suddenly “down for maintenance”.
According to the Wackypedia, DotNetNuke has around 600,000 production web sites as of June 2010. However, the vulnerability they discovered affects not only DotNetNuke but any ASP.NET application that relies on encrypted cookies for authenticating users.
Technically an “oracle padding attack”, it uses repeated requests to a web server and examines answers trying to obtain the encryption key used to encrypt those cookies. EyeSee – Database giant Oracle has nothing to do with this, no databases are involved, oracle is used in the traditional meaning of the word.
The Redmond juggernaut is not happy about not being notified earlier of this vulnerability as is customary in the IT field. The firm released a security advisory tech note where it acknowledges: “An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config. This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server.”
Microsoft says the vulnerability affects dot-Not versions 1.0, 1.1, 2.0, 3.5, and 4.0 on Windows XP, XP64, Server 2003, Vista, Server 2008, Server 2008 R2, and Windows 7, all in 32-bit and 64-bit versions.
For a nice in-depth discussion of this exploit and vulnerability you can read this thread at Ycombinator.com.
Basically, pundits confirm that this “allows you to encrypt new cookies” and that since the default authenticated cookies for ASP.NET forms authorization is a username, “you can effectively make ASP.NET think you’re logged in as whoever you want.”
Another commenter jumps in to say: “These platforms — .NET, JSF, Rails, Django included — provide functionality that stores encrypted information client-side. When that functionality is broken, it’s a platform-level security flaw.”
The thread, full of interesting comments is here.
Another interesting discussion of the implications can be found at Reddit.com over here. User Blackaura reminds everyone why it’s a good idea not to trust information in cookies, even if the data is encrypted: “You should NEVER store sensitive information in a cookie. NEVER. It doesn’t matter that it’s encrypted”.
He added: “Having encrypted cookies encourages developers to put sensitive information in a cookie, because they see that it’s encrypted, and assume that it’s safe.”
Here is the presentation video, feel free to mute your speakers.
Who’s to blame?
But the two geeks – one of them a security boffin – doing the presentation were Julián Rizzo from Argentina and Thai Duong from Vietnam. Rizzo lives in Buenos Aires and founded Netifera along with two associates, as well as an open source project designed for creating easily portable network security tools.
Duong is a math whiz kid from Vietnam who describes himself as liking “math, cryptography, and vulnerabilities development”. Rizzo and Duong can be found on Twitter under the user names @julianor and @thaidn, respectively.
Reactions and ethical debate
Some questioned the alleged distribution of the exploit tool by throwing three pen drives into the audience. In the comments of the presentation video uploaded to Youtube, a user says: “Is it true that you guys threw USB keys out into the audience containing this, before giving MS a chance to respond? The internet.. as a whole… hates you.”
And user i2oc said: “Given the inappropriate disclosure of the vulnerability it’s probably not advisable to share this type of content until the vendor has had an opportunity to respond appropriately.”
Earlier this year, Google security boffin Tavis Ormandy sent details to a mailing list about a zero-day WinXP vulnerability he had discovered only five days after notifying the firm, and others in the IT security trade went after him for not giving the Microsoft juggernaut enough time to fix it.
Graham Cluley, Senior Technology Consultant at IT security firm Sophos said at the time: “Five days notice for Microsoft to fix the problem hardly seems like a reasonable amount of time to me” and that Microsoft would have preferred to fix it “behind closed doors, without exploit code circulating in the wild”.
He said at the time that the Google engineer did not act responsibly.
Andrew Storms from nCircle Security told Computerworld’s Gregg Keizer that security researchers usually go public when vendors are sitting on their hands. This is to force them to act on the matter – but with this incident back in June, this was not the case and going public just days after disclosure was “no better than not reporting it”.
How to fix?
There is no official fix yet. However, Microsoft’s Scott Guthrie posted a work-around in his blog “to prevent attackers from using this vulnerability against your ASP.NET applications” making it clear that it’s not DotNetNuke but all ASP apps which are at risk.
And Subodh Shakya also posted a work-around for DotNetNuke the same day.
Ekoparty offered presentations on lock picking, wardriving in Buenos Aires, digital art, hacks and exploits, forensics and more importantly, an opportunity for people to network. Are these guys evil?. Nah – they just want to improve their knowledge and skillset and get some free publicity to boot.
While writing this, this scribbler found that five years ago, another .NET security researcher Dinis Cruz dubbed .NET and IIS – for different reasons – “Insecure by design” and said he was “truly disappointed with Microsoft’s attitude to ASP.NET security and the willingness to NOT look/discuss/acknowledge anything that doesn’t fit the current definition of ‘insecure software’.”
Microsoft has a pretty shaky track record on security. Nine years ago, the FBI put Internet Information Server at the top of the list as the most vulnerable. And influential consultancy firm Gartner went as far the same year as recommending firms drop IIS.
The next year, Microsoft´s founder and Chief Head Honcho fired a missive to its employees saying that the company should put an emphasis on security.
In short: apparently the internet is not just for porn – with these two individuals from Argentina and Vietnam, the Axis of Evil has just widened.