Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks

from [H D Moore] Network Security [Permanent Link]
Subject: Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks
Date: Tue, 3 May 2005 10:53:58 -0500 
Comments are inline.

On Tuesday 03 May 2005 08:38, Michal Zalewski wrote:

The data is by *typically* stored on client side as base64-encoded,
hidden POST form field. By default, the field is protected from
tampering by being "signed" using SHA1 with machine-specific key


On most deployments, the machine-specific key is regenerated after a 
certain period, so the replay window is limited. On cluster deployments, 
this can be a serious problem, depending on what is stored in the 
ViewState. Web server clusters often share a manually set machineKey 
value and I have yet to see a code base where the cluster machineKey is 
updated on a regular basis. 


Because information from controls such as DataGrid is by default
"cached" in __VIEWSTATE, enabling the user to tamper with this data
would allow for modifying item ID and price data in ASP.NET online
shops, for example. This possibility is discussed by Microsoft and
others, with the conclusion that SHA1/MD5 signing prevents it, and
hence it is safe to rely on __VIEWSTATE cached data in that regard:

[ snip ]

Storing and then trusting database fields retrieved from user, even
with SHA1 validation, may send shivers down any infosec guy's or gal's
spine, but that's the way it'd seem to be done:


This is common practice in the financial services applications -- many 
cash management and online banking systems rely on the ViewState to 
protect internal database IDs. Assuming that the hashing method is secure 
and the key is not bruteforcable within the available window, it puts 
code auditing into a new and somewhat frightening perspective (in some 
cases, you CAN trust external input).


  1) Injection-through-replay scenarios are still available.

     "Signed" __VIEWSTATE is replayable for the system or cluster that
     generated it, for that specific .aspx script:


Only within the window that the same machineKey is valid, but you can 
always go generate it again.


     b) Since there appears to be no expiration mechanism, user may
keep __VIEWSTATE data and reuse it after availability, pricing, or
other parameters of items or settings has changed, or ability to access
certain information has been restricted, effectively obtaining a
"backdoor" of sorts.


The VSPageID may prevent replay attacks, but I have not tested this. 
Expiration usually occurs on reboot or within a certain period of time 
(24 hours maybe, it has been a while since I tested this).


     c) The attacker may obtain __VIEWSTATE after entering dangerous or
        offensive contents or view settings within his session (some of
which may be not immediately visible), then redirect third parties
through a webpage with a specific __VIEWSTATE parameter to expose them
to that contents, or to impose these settings upon that viewer.


This is a problem with many client-side data storage/validation systems 
and can usually be fixed at the page-level in the application. 


  2) When NOT signed, resource starvation due to __VIEWSTATE complexity
is possible.


When NOT signed, you can cause havok with all sorts of things. There are a 
dozen different ways to trigger exceptions within the managed code, so 
far I haven't found anything exploitable beyond a DoS. ViewStateMac has 
been enabled by default since the second beta release iirc.


Possible mitigation method for problem #1: include secure session ID
within __VIEWSTATE data, correlate with existing session control data,
or validate and expire appropriately; or sacrifice storage and keep
this data on server.



Mitigation method for problem #2: sacrifice CPU cycles to always
validate data; or store on server.


Encrypting the ViewState can prevent or delay some of these attacks -- the 
ViewStateUserKey (salt) may also be useful, if changed by the application 
on a frequent basis.


Cheers,
Michal Zalewski
SotW plug: http://lcamtuf.coredump.cx/silence/


Excellent work as usual :-) I recommend Silence on the Wire for anyone has 
grown tired of the standard "Hacking Decomposed" style of security books.

-HD

PS. Attached is an old perl script for prodding ASP.Net applications. It 
can quickly check for ViewStateMac and a few other security settings. It 
was designed for ASP.Net 1.0, but still turns up some fun things once in 
a while (trace.axd, etc).

Attachment: dnascan.pl.gz
Description: GNU Zip compressed data

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] Port 1025 netvenuechat, Sherwyn Williams
Next by Date:  [Full-disclosure] KSpynix ::: the Unix version of KSpyware? (Proof Of Concept), khaalel
Previous by Thread:  ASP.NET __VIEWSTATE crypto validation prone to replay attacks, Michal Zalewski
Next by Thread:  [VulnWatch] Microsoft Windows Image Rendering Memory Limit DoS, Luis A. Cortes Zavala
Indexes:  [Date] [Thread] [Top] [All Lists]