New Attack Against ASP.NET
It’s serious:
The problem lies in the way that ASP.NET, Microsoft’s popular Web framework, implements the AES encryption algorithm to protect the integrity of the cookies these applications generate to store information during user sessions. A common mistake is to assume that encryption protects the cookies from tampering so that if any data in the cookie is modified, the cookie will not decrypt correctly. However, there are a lot of ways to make mistakes in crypto implementations, and when crypto breaks, it usually breaks badly.
“We knew ASP.NET was vulnerable to our attack several months ago, but we didn’t know how serious it is until a couple of weeks ago. It turns out that the vulnerability in ASP.NET is the most critical amongst other frameworks. In short, it totally destroys ASP.NET security,” said Thai Duong, who along with Juliano Rizzo, developed the attack against ASP.NET.
Here’s a demo of the attack, and the Microsoft Security Advisory. More articles. The theory behind this attack is here.
EDITED TO ADD (9/27): Three blog posts from Scott Guthrie.
EDITED TO ADD (9/28): There’s a patch.
vnskx • September 27, 2010 7:43 AM
Really cool demo of POET against JavaServer Faces, decrypting byte by byte:
http://www.youtube.com/watch?v=euujmKDxmC4
Original paper USENIX WOOT’10 and slides :
http://netifera.com/research/