Welcome! Log In

POET vs ASP.NET: DotNetNuke

this video we show how to use POET to attack the latest version of ASP.NET. The target application is DotNetNuke. The attack consists of two phases:

1. In the first phase, we use POET to extract DotNetNuke's secret keys, and use those keys to generate a cookie to login as a super user. The same technique can be used to attack _every_ ASP.NET application.

2. In the second phase, we use Cesar Cerrudo's Token Kidnapping attack to gain SYSTEM privilege on the Windows server hosting DotNetNuke.

This research was done by Thai Duong and Juliano Rizzo. More information can be found at http://netifera.com/research.
Catégorie :

Science et technologie
Tags :

* DotNetNuke

Voir ce lien de MICROSOFT : http://www.microsoft.com/technet/security/advisory/2416728.mspx

En fait l'utilitaire sous python n'est pas dispo ... (sniff) ... on n'en trouve qu'une version adaptée à une faille sous JAVA pour passer les captcha

le script pour exploiter la faille se nomme poet.py ... aucune référence nulle part :-(

Plus ds le détail: http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/ >> au passage on découvre un outil .. PADBUSTER.PL (faut être enregistré pour le télécharger).

Two security researchers, Thai Duong and Juliano Rizzo, have discovered a bug in the default encryption mechanism used to protect the cookies normally used to implement Forms Authentication in ASP.NET. Using their tool (the Padding Oracle Exploit Tool or POET), they can repeatedly modify an ASP.NET Forms Authentication cookie encrypted using AES and, by examining the errors returned, determine the Machine Key used to encrypt the cookie. The process is claimed to be 100 percent reliable and takes between 30 and 50 minutes for any site.

Once the Machine Key is determined, attackers can create bogus forms authentication cookies. If site designers have chosen the option to embed role information in the security cookie, then attackers could arbitrarily assign themselves to administrator roles. This exposure also affects other membership provider features, spoofing protection on the ViewState, and encrypted information that might be stored in cookies or otherwise be made available at the client.

While the exposure is both wide and immediate, the fix is simple. The hack exploits a bug in .NET's implementation of AES encryption. The solution is to switch to one of the other encryption mechanisms -- to 3DES, for instance. Since encryption for the membership and roles providers is handled by ASP.NET, no modification of existing code should be required for Forms Authentication.

The encryption method can be set in the web.config file for a site, in IIS 7 for a Web server, or in the config file for .NET on a server in %SYSTEMROOT%\Microsoft.NET\Framework\version\CONFIG\. On 64-bit systems, it must also be set in %SYSTEMROOT%\Microsoft.NET\Framework64\version\CONFIG\. A typical entry would look like this:

<machineKey validationKey="AutoGenerate,IsolateApps"
decryption="3DES" />
On a Web farm, this setting will have to be made on all the servers in the farm.

These settings are also used to prevent spoofing (ViewState data is encoded but not encrypted), so making this change will also switch the ViewState to using 3DES. Developers who are using AES in their code to encrypt information made available at the client should consider modifying their code to use a different encryption mechanism.

Duong and Rizzo intend to provide more information at the ekoparty Security Conference on Friday, Sept. 17 in Buenos Aires.

Site des codeurs:


l'utilitaire au travail ... mais pour un captcha sous JAVA
Sans attendre le prochain Patch Tuesday, Microsoft anticipe la publication d'un correctif afin de combler une vulnérabilité dans ASP.NET.

bulletin de sécurité MS10-070,

Sorry, only registered users may post in this forum.

Click here to login