Results 1 to 7 of 7

Thread: Vulnerability in ASP.NET Could Allow Information Disclosure Share/Save - My123World.Com!

  1. #1
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32

    Vulnerability in ASP.NET Could Allow Information Disclosure

    Microsoft ASP.NET data leakage, bug Details and Exploit Scanner code


    Affected software -
    http://www.microsoft.com/technet/sec...y/2416728.mspx
    Technical Details on MS blog:
    http://blogs.technet.com/b/srd/archive/2010/09.aspx

    Attack similar to padding oracle attack. And attacker could get sensitive files like web.config
    Hacking Is a Matter of Time Knowledge and Patience

  2. #2
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    Scan for affected Software's. VBS code

    Code:
    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    '  DetectCustomErrorsDisabled.vbs Script
    '  Version 3.1
    '  
    '  This script will help detect vulnerable configuration for the Padding Oracle 
    '  ASP.Net vulnerability documented in MS advisory 2416728.
    '  
    '  http://www.microsoft.com/technet/security/advisory/2416728.mspx
    '  
    '  Usage: 
    '      cscript DetectCustomErrorsDisabled.vbs [RemoteServerName] 
    '
    '  NOTE: THIS SCRIPT USES THE FILESYSTEM AND SHELL OBJECT AND SHOULD BE
    '       RUN AS AN ADMINISTRATOR
    '
    '  The script works by enumerating all web.config and assessing if the 
    '  side-channel leak for the padding oracle vulnerability is mitigated by the 
    '  use of homogenizing custom error responses from ASP.Net applications. 
    '  
    '  Note: On IIS 7 servers, this script requires IIS6 compatibility mode to be
    '  installed.
    '  
    '  More information on: http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx
    '  
    '  Version History:
    '  1.0 - Initial version
    '  2.0 - Added additional checks for app/site root config
    '  3.0 - Added error validation for XML parsing and path checks
    '  3.1 - Added check for missing root web.config
    ' 
    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    OPTION EXPLICIT
    ON ERROR RESUME NEXT
    DIM strServer
    DIM objWebService, objWebServer, objDir, objFileSys
    DIM physicalPath, dir, xmlDoc, nodeList, node, ret
    DIM configFile, configFilePath, configLine
    DIM childNodes, ErrPage500, ErrPage404, errFound
    DIM index, errCount
    
    strServer = "localhost"
    
    
    ' Parse command line input
    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    IF WScript.Arguments.Length=1 THEN
        strServer = WScript.Arguments( 0 )
    END IF
    
    IF WScript.Arguments.Length>1 THEN
        WScript.Echo "Illegal number of arguments"
        WScript.Echo "Usage: cscript.exe DetectCustomErrorsDisabled.vbs [RemoteServerName]"
        WScript.Quit( 1 )
    END IF
    
    ' Initializations
    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    SET objFileSys = CreateObject("Scripting.FileSystemObject")
    SET objWebService = GetObject( "IIS://" & strServer & "/W3SVC" )
    IF Err <> 0 THEN
        WScript.Echo "Could not find IIS ADSI object. Make sure you have IIS and IIS6 management compatibility installed."
        WScript.Quit (1)
    END IF
    SET xmlDoc = CreateObject("Microsoft.XMLDOM")
    
    IF IsNull(objFileSys) THEN
        WScript.Echo "Failed to create FileSystemObject. Please run script as Admin."
        WScript.Quit (1)
    END IF
    
    IF IsNull(objWebService) THEN
        WScript.Echo "Failed to connect to IIS ADSI provider. Make sure you have IIS6 "_
        + "management compatibility role service installed."
        WScript.Quit (1)
    END IF
    
    WScript.Echo("Enumerating possible paths with ASP.Net configuration that have" _
        +" custom errors turned off.")    
    WScript.Echo ("")    
    
    
    ' Search web server for unsafe configuration
    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    FindASPNetConfig(objWebService)
    
    
    ' Search all paths on web server for possible web.config  files.
    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    SUB FindASPNetConfig(WebService)
    
        FOR EACH objWebServer IN WebService
            IF objWebserver.Class = "IIsWebServer" THEN
                EnumDirectories(objWebServer)
            END IF
        NEXT
        
    END SUB
    
    ' Recursively go through vdirs and webdirs
    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    SUB EnumDirectories(objDir)
        
        DIM objSubDir
        ' The first call to this is from IIsWebServer, so we can skip that
        FOR EACH objSubDir IN objDir
            IF (objSubDir.Class = "IIsWebVirtualDir") THEN
                GetPhysicalPaths(objSubDir)            
                EnumDirectories(objSubDir)          
            END IF
        NEXT	
        
    END SUB
    
    
    ' Get physical paths for web and virtual directories
    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    SUB GetPhysicalPaths(objDir)
        
        physicalPath = objDir.Path
        CALL EnumWebConfig(physicalPath,1)
    
    END SUB
    
    
    ' Recursively search for web.config files.
    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    SUB EnumWebConfig(Path,IsRoot)
    
        IF NOT objFileSys.FolderExists(Path) THEN 
            IF IsRoot THEN
                ' WScript.Echo Path & ": Site's disk path is incorrect and root web.config does not exist"
                WScript.Echo Path & ": ** Vulnerable configuration found **"
            END IF
            EXIT SUB
        END IF
    
        configFilePath = Path & "\web.config"
        IF objFileSys.FileExists(configFilePath) THEN 
            CALL ProcessWebConfig(configFilePath,IsRoot)
        ELSEIF IsRoot = 1 THEN
            ' WScript.Echo Path & ": Site or app root web.config does not exist"
             WScript.Echo Path & ": ** Vulnerable configuration found **"
        END IF
        
        FOR EACH dir IN objFileSys.GetFolder(Path).SubFolders
            CALL EnumWebConfig(dir.Path,0)
        NEXT
    
    END SUB
    
    ' Skip known identities that will have Write access by default
    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    SUB ProcessWebConfig(Path,IsRoot)
        xmlDoc.async="false"
        xmlDoc.load(Path)
        errFound = 0
        SET nodeList = xmlDoc.getElementsByTagName("customErrors")
    
        IF IsRoot = 1 AND nodeList.length = 0 THEN
            ' Root web.config does not set defaultRedirect, so this config should 
            ' have a customErrors section present with customErrors turned on and a 
            ' defaultRedirect present. Else this is a vulnerable configuration.
    	
            ' WScript.Echo path & ": Root web.config must have customErrors with defaultRedirect defined"
    
            errFound = errFound + 1
    
        ELSEIF IsRoot = 1 THEN
            ret = CheckRootCustomErrorsSection(nodeList, Path)
            errFound = errFound + ret
        END IF
    
        DIM count
    
        FOR count=0 TO nodeList.length-1
            ret = CheckCustomErrorsDisabled(nodeList.Item(count), Path)
    	    errFound = errFound + ret
            ret = CheckCustomErrorsAreHomogenous(nodeList.Item(count), Path)
    	    errFound = errFound + ret
        NEXT
                
        IF errFound > 0 THEN
            WScript.Echo Path & ": ** Vulnerable configuration found **"
        ELSE
            WScript.Echo Path & ": ok"
        END IF
    END SUB
    
    
    FUNCTION CheckRootCustomErrorsSection(xmlnodelist, path)
    
        errCount = 0
        FOR index=0 TO xmlnodeList.length-1
            ret = CheckRootCustomErrorsDisabled(nodeList.Item(index), Path)
    	    errCount = errCount + ret
        NEXT
    
        CheckRootCustomErrorsSection = errCount
    END FUNCTION
    
    
    FUNCTION CheckRootCustomErrorsDisabled(xmlnode, path)
        
        IF StrComp (LCase(xmlnode.getAttribute("mode")), "off") = 0 THEN
            ' WScript.Echo path & ": Custom Error disabled: " & xmlnode.xml
            CheckRootCustomErrorsDisabled = 1
            EXIT FUNCTION
        ELSEIF IsNull(xmlnode.getAttribute("defaultRedirect")) THEN
            ' WScript.Echo path & ": defaultRedirect not set: " & xmlnode.xml
            CheckRootCustomErrorsDisabled = 1
            EXIT FUNCTION
        ELSE
            CheckRootCustomErrorsDisabled = 0
        END IF
        
    END FUNCTION
    
    
    FUNCTION CheckCustomErrorsDisabled(xmlnode, path)
        IF StrComp (LCase(xmlnode.getAttribute("mode")), "off") = 0 THEN
            ' Unsafe config
            ' WScript.Echo path & ": Custom Error disabled: " & xmlnode.xml
            CheckCustomErrorsDisabled = 1
        ELSE
            CheckCustomErrorsDisabled = 0
        END IF
        
    END FUNCTION
    
    FUNCTION CheckCustomErrorsAreHomogenous(xmlnode, path)
        IF xmlnode.childNodes.length=0 AND len(xmlNode.getAttribute("defaultRedirect"))>0 THEN
    	    CheckCustomErrorsAreHomogenous = 0
            EXIT FUNCTION
        END IF
    
        SET childNodes = xmlnode.childNodes
    
        ErrPage404 = ""
        ErrPage500 = ""
    
        DIM count
        FOR count=0 TO childNodes.length-1
            CALL GetErrorPage(childNodes.Item(count))
        NEXT
    
        IF StrComp(ErrPage404,"") = 0 AND StrComp(ErrPage500,"") = 0 AND IsNull(xmlNode.getAttribute("defaultRedirect")) THEN
            ' Missing defaultRedirect in this case will cause config to be vulnerable
            'WScript.Echo path & ": missing defaulRedirect URL: " & xmlnode.xml
            CheckCustomErrorsAreHomogenous = 1
            EXIT FUNCTION
        ELSEIF StrComp(ErrPage404,"") = 0 AND StrComp(ErrPage500,"") <> 0 AND StrComp(ErrPage500, xmlNode.getAttribute("defaultRedirect")) <> 0 THEN
            'WScript.Echo path & ": 500 and default error pages differ: " & xmlnode.xml
            CheckCustomErrorsAreHomogenous = 1
            EXIT FUNCTION
        ELSEIF StrComp(ErrPage500,"") = 0 AND StrComp(ErrPage404,"") <> 0 AND StrComp(ErrPage404, xmlNode.getAttribute("defaultRedirect")) <> 0 THEN
            'WScript.Echo path & ": 404 and default error pages differ: " & xmlnode.xml
            CheckCustomErrorsAreHomogenous = 1
            EXIT FUNCTION
        ELSEIF StrComp(ErrPage404, ErrPage500) <> 0 THEN
            'WScript.Echo path & ": 404 and 500 error pages differ: " & xmlnode.xml
            CheckCustomErrorsAreHomogenous = 1
            EXIT FUNCTION
        ELSE 
            CheckCustomErrorsAreHomogenous = 0 
        END IF
    
    END FUNCTION
    
    SUB GetErrorPage(xmlnode)
        IF xmlnode.nodeType <> 1 THEN
            EXIT SUB
        ELSEIF IsNull(xmlnode.getAttribute("statusCode")) THEN
            'Do nothing.
        ELSEIF StrComp(xmlnode.getAttribute("statusCode"), "500") = 0 THEN
            ErrPage500 = xmlnode.getAttribute("redirect")
        ELSEIF StrComp(xmlnode.getAttribute("statusCode"), "404") = 0 THEN
            ErrPage404 = xmlnode.getAttribute("redirect")
        END IF
    
    END SUB
    Hacking Is a Matter of Time Knowledge and Patience

  3. #3
    Infosec Enthusiast AnArKI's Avatar
    Join Date
    Jul 2010
    Location
    London
    Posts
    514
    Blog Entries
    2

    Demo of ASP.NET padding Oracle attack


  4. #4
    hello anybody,
    i tried on a controlled target that has a Oracle Padding Vulnerable.
    at the first, in cmd i use padBuster.pl
    C:\>perl padBuster.pl http://XXXXXXXXX/WebResource.axd?d=u...7ZaGkVm2BzhGs1 uhSDU7ho2oibQ9Krmxdt2aN3awdGe1TmctBbRjjSSCCOeWKQ2J 7duPZzqbwSs6sUiz4zHuexqeqC4vuIJFws-l3NGPCouF7ZaGkVm2BzhGs1 16 -encoding 3 -plaintext "|||~/web.config"


    it took more times than usual to got the code. then! with web.config_bruter.pl i want to got web.config and tyoe this command.

    perl web.config_bruter.pl http://XXXXXXXXX/ScriptResource.axd nyGnEeEpjRxnqjKdBdI_ZQAAAAAAAAAAAAAAAAAAAAA1 16

    but, nothing happened?????? i wait for 6 hours but it didn't work????
    where is my problem?
    One thing more, how we can understand the code block algorithm exactly = 8byte or 16byte or something else????

    thanks so much for your attention
    with kind of regards,

  5. #5

    Thumbs down It looks web.config_bruter.pl never returns...

    Quote Originally Posted by mk.h4ck3r View Post
    hello anybody,
    i tried on a controlled target that has a Oracle Padding Vulnerable.
    at the first, in cmd i use padBuster.pl
    C:\>perl padBuster.pl http://XXXXXXXXX/WebResource.axd?d=u...7ZaGkVm2BzhGs1 uhSDU7ho2oibQ9Krmxdt2aN3awdGe1TmctBbRjjSSCCOeWKQ2J 7duPZzqbwSs6sUiz4zHuexqeqC4vuIJFws-l3NGPCouF7ZaGkVm2BzhGs1 16 -encoding 3 -plaintext "|||~/web.config"


    it took more times than usual to got the code. then! with web.config_bruter.pl i want to got web.config and tyoe this command.

    perl web.config_bruter.pl http://XXXXXXXXX/ScriptResource.axd nyGnEeEpjRxnqjKdBdI_ZQAAAAAAAAAAAAAAAAAAAAA1 16

    but, nothing happened?????? i wait for 6 hours but it didn't work????
    where is my problem?
    One thing more, how we can understand the code block algorithm exactly = 8byte or 16byte or something else????

    thanks so much for your attention
    with kind of regards,
    Yes same here. Im also running this web.config_bruter.pl for hours now and doesn't seem to be freezed, neither seem to be doing anything... Im getting sick of waiting process says perl.exe is consuming nealy 20MB but I dunno when it will give back something. Please reply this thread if you happen to succeed with it. So that I can also keep fingers crossed and happily wait... thanks.

  6. #6
    Garage Member
    Join Date
    Sep 2010
    Location
    Chennai
    Posts
    83
    Blog Entries
    1
    Quote Originally Posted by AnArKI View Post
    IMHO, padding oracle attack is one of the "cutest" attacks on Authenticated Encryption..I didn't know that ASP.NET is vulnerable to this though! Also, another thing about padding oracle is that it is not a cryptographic flaw but it rather a implementation flaw!

  7. #7
    Garage Member
    Join Date
    Sep 2010
    Location
    Chennai
    Posts
    83
    Blog Entries
    1
    Quote Originally Posted by mk.h4ck3r View Post
    hello anybody,
    i tried on a controlled target that has a Oracle Padding Vulnerable.
    at the first, in cmd i use padBuster.pl
    C:\>perl padBuster.pl http://XXXXXXXXX/WebResource.axd?d=u...7ZaGkVm2BzhGs1 uhSDU7ho2oibQ9Krmxdt2aN3awdGe1TmctBbRjjSSCCOeWKQ2J 7duPZzqbwSs6sUiz4zHuexqeqC4vuIJFws-l3NGPCouF7ZaGkVm2BzhGs1 16 -encoding 3 -plaintext "|||~/web.config"


    it took more times than usual to got the code. then! with web.config_bruter.pl i want to got web.config and tyoe this command.

    perl web.config_bruter.pl http://XXXXXXXXX/ScriptResource.axd nyGnEeEpjRxnqjKdBdI_ZQAAAAAAAAAAAAAAAAAAAAA1 16

    but, nothing happened?????? i wait for 6 hours but it didn't work????
    where is my problem?
    One thing more, how we can understand the code block algorithm exactly = 8byte or 16byte or something else????

    thanks so much for your attention
    with kind of regards,
    Understand what padding oracle is all about, then write your own code. Or wait for max. 3 days, i might do a tutorial on padding oracle and this post will serve as my inspiration.

    Regards

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •