This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
ASP.NET POET Vulnerability
From OWASP
This page contains details about the ASP.NET POET vulnerability disclosed on 2010-09-17. This vulnerability exists in all versions of ASP.NET (all versions released through 2010-09-18). As of 2010-09-20, there is no fix available to resolve the vulnerability; in the meantime, Microsoft strongly urges all ASP.NET deployments perform the recommended workaround to mitigate the vulnerability in the short-term.
Advisory
- Microsoft Security Advisory (2416728) : http://www.microsoft.com/technet/security/advisory/2416728.mspx
Recommended Fixes
- Microsoft Official Fix: http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx
Not recommended Fixes (via web.config change)
- Important: ASP.NET Security Vulnerability (ScottGu's blog) http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
- DotNetNuke ASP.NET Security Vulnerability Fix: http://www.subodh.com/Blog/PostID/116/DotNetNuke-ASP-NET-Security-Vulnerability-Fix
Why we do not recommend these workarounds
- ["T" exploit 200 vs 404 response status]: http://www.gdssecurity.com/l/b/2010/10/04/padbuster-v0-3-and-the-net-padding-oracle-attack/
- ["T" exploit attack]: http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
Blogs, News, Articles
- Understanding the ASP.NET Vulnerability: http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx
- ASP.NET POET Vulnerability - What Else Can I Do? http://pentonizer.com/general-programming/aspnet-poet-vulnerability-what-else-can-i-do/
- Automated Padding Oracle Attacks with PadBuster http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/
- Microsoft investigating ASP.NET vulnerabilities - http://www.thetechherald.com/article.php/201038/6170/Microsoft-investigating-ASP-NET-vulnerabilities
- Security researchers 'destroy' Microsoft ASP.NET security http://www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-security
- Argentina joins Axis of Evil with zero day ASP.NET exploit http://www.techeye.net/security/argentina-joins-axis-of-evil-with-zero-day-asp-net-exploit
- Padding Oracle Exploit Tool http://netifera.com/research/
- Video demonstration of using POET tool to attack vulnerable ASP.NET deployment http://www.youtube.com/watch?v=yghiC_U2RaM
- Google Search: http://www.google.co.uk/search?q=ASP.NET+vulnerability
File Access Exploits
- Webconfig_Bruter (first public exploit for file downloading): http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
- Padbuster v0.3 can now download Web.config and much more: http://www.gdssecurity.com/l/b/2010/10/04/padbuster-v0-3-and-the-net-padding-oracle-attack/
discussion Threads
- Security researchers 'destroy' Microsoft ASP.NET security http://news.ycombinator.com/item?id=1701502
- Quite serious security hole in ASP.NET discovered: http://www.reddit.com/r/programming/comments/df72k/quite_serious_security_hole_in_aspnet_discovered
