Bookmark and Share BitCoin Donate: 13t8gAWVpHP2ddxMp88d1NFpZjnFJC6UwK

.Net padding oracle exploitation

Investigating .NET Padding Oracle Exploitation with padBusterdotnet

Everyone in the security industry has crashed into the amazing research of T. Duong and J. Rizzo of Netifera Security named Padding Oracle Attacks. This research hit the media again some days ago because also Microsoft .NET Framework was found extremely vulnerable to it.

Some tools have been released to perform this particular attack, but no public tools at the moment work with .NET Ajax Framework as shown in the original .NET exploit video at Ekoparty conference.

To better clarify how this exploit originally worked, we spent some days in our labs studying the .NET Ajax libraries. We also started from the beautiful Padbuster tool coded by Brian Holyfield of Gotham Digital Science and we added some features in order to work with WebResource.axd and ScriptResource.axd .NET Handlers. We have created a tool called PadBusterdotnet.

Important Update: I'm happy that the publication of our mods, which were the first this morning, speeded up the publication of different private tools. Now Gotham Digital Science security has just released the new version of Padbuster (v0.2) which supports Net UrlToken Encoder/Decoder check it here.

Update 04/10/2010:  Today Padbuster v0.3 now supports attacks against .NET applications to download files from the webroot. The attack for downloading Web.config is similar to the first attack we published two days ago, but it adds several important features to it. We suggest to read it! 

How does Padbusterdotnet work

Padbusterdotnet is very similar to the original Padbuster. The main difference is that  it uses a re-implemented version of Microsoft UrlTokenEncoder() and UrlTokenDecoder() functions. It also does not Urlescape() parameters by deafult.

How does Padbusterdotnet applies to .NET Ajax Handlers

Microsoft Ajax Handlers are publicly exposed by default and accept encrypted strings of data which are NOT signed. This means that could be possible to perform byte by byte substitutions from an original string and check response errors for guessing intermediate values.

The following is a command line practical example:
n0def@holycow:~/n0def$ ./padBusterdotnet.pl http://127.0.0.1:8083/HacmeBank_v2_WebSite/ScriptResource.axd?d=qMO75zQ9ISgn3xx5rRdJSy7gggYrjYwjnIPlXPs84bc1 qMO75zQ9ISgn3xx5rRdJSy7gggYrjYwjnIPlXPs84bc1 16
Where:
./padBusterdotnet.pl ScriptResourceUrl EncryptedSample BlockSize

Which handler should I use? Webresource.axd vs Scriptresource.axd

Webresource.axd and Scriptresource.axd are very similar, except the fact that they have a different error handling code. So, if "customerrors = off" both handlers are practically the same.

Update 2/10/10: If "customerrors = ON" and 404 pages are handled differently from 500 pages, you should use WebResource.axd (Note: This is good for  both Framework 2.0 - With Ajax 1.0 and for framework 3.5 Sp1). To abuse the padding Oracle with "Customerrors = ON" you need to use WebResource.axd with valid "d" encrypted data as prefix. "d" parameter to be valid for WebResource handler must contain at least a single pipe char "|" after decryption. In short terms use the tool with "-prefix" option. This was the approach used initially in the original attack video (POET vs .NET).

Update 3/10/2010: if you use the "T exploit" and remote site is running framework 3.5 Sp1 or above, you just need to bruteforce the first block with average 150 requests to decrypt any message. And you need to check just for 200 status codes. More info on the "T" block exploit.   

Update 4/10/2010 More info on 200 vs 404 Status codes: Padbuster v0.3 and .NET attacks. This approach is more efficient because it uses the infamous "T" block for abusing the Padding Oracle.

To make things more complex (:D) the code of ScriptResource.axd was heavily modified during years. That's why we suggest to use all the approaches described above in this section to have the Padding Oracle speaking.

In framework 2.0 with Ajax 1.0 extensions the pseudo error handling routine in ScriptResource.axd is:
{
string strx;
string str = queryString["d"];
...
try
{
str2 = DecryptString(str);
}
catch(CryptographicException exception)
{
    throw 404(exception);
}
return strx;
}
As you can see from the previous code Crypto errors are handled as 404 errors; application errors will be spawn as 500 error codes. . 

In framework 3.5 sp1 and above ScriptResource.axd has an even different error handling routine. Pseudo code is:
{
string strx;
string str = queryString["d"];
...
try
{
str2 = DecryptString(str);
}
catch(exception)
{
    throw 404(exception);
}
return strx;
}
All errors are 404 exception and the Padding Oracle is turned off if you do not use a "T" block as prefix.


How to check if my site is vulnerable?

To check if your site is vulnerable make the following requests:
Update... Patches are now available: Official Microsoft Patches  ! Now workarounds can be easily bypassed1 or easily bypassed2. Check if patches are installed as Juliano Rizzo suggests here: check if MAC signature is present, if not, you are still vulnerable!
Update... Try the following script (thanks to Bernardo Damele for testing it accurately!): Check Patch
How to download Web.config from the virtual path?

 This feature is available through ScriptResource.axd only in .NET Framework 3.5 Sp1 and above (Framework 2.0 cannot be abused in this way). You should issue a particular string - "R|~/Web.config" - correctly encrypted using Padbusterdotnet tool.

If you are interested in how to download Web.config remotely with Padbuster or Padbusterdotnet, read:
Breaking dot.net encryption With or Without a Padding Oracle