Microsoft released their out of band release to fix the security flaw in ASP.NET the yesterday.
What methods did Microsoft use to end the viability of this vector?
+11
A:
A great summary of the changes comes from http://musingmarc.blogspot.com/2010/09/ms10-070-post-mortem-analysis-of-patch.html
- Don't leak exception information - This prevents exploits from seeing what is broken.
- Don't short-circuit on padding checks (take the same amount of time for padding correct verses padding broken) - This prevents exploits from seeing timing difference for incorrect padding.
- Don't be too picky about exception catching in IHttpHandler.ProcessRequest - This prevents exploits from seeing that you caught one kind of exception (CryptographicException) instead of all exceptions.
- Switch from Hash-based initialization vectors to Random IVs - This prevents exploits from using the relationship between the data and the hash to decrypt faster.
- Allow for backward compatibility - In case this breaks something, allow the new behavior to be reverted in-part.
- When doing a code review pass, change to make it clear you've considered the new options.
Aaron D
2010-09-29 17:24:55
+1 nice detailed info, added an answer about what I consider to be the main fix.
eglasius
2010-09-29 18:01:46
Too bad I didn't think to look here and post my blog answer first :)
IDisposable
2010-09-29 18:43:00
@IDisposable you should ... I prefer to upvote the author
eglasius
2010-09-29 19:02:48
@eglaius No, you did the service of watching these questions and posting my answer, and you attributed it to me... that makes you the hero :)
IDisposable
2010-09-29 19:23:30
@IDisposable good point of view ps. It was @Aaron who did that :P
eglasius
2010-09-29 19:47:56
+2
A:
The main: sign any encrypted data that is sent to the browser. This prevents messing with the values like the attack did to gain information on valid vs. invalid padding i.e. since the signature won't match in all those cases.
Its important to note, the hole in webresource and scriptresource that allowed files retrieval shouldn't have happened. Simple encryption alone isn't meant to tamper proof. In other words, it wasn't an oversight of an advanced scenario like the rest of the padding oracle attack (which still relied on the same fact, sending back modified encrypted data to the app with no tamper proof protection on the server).
Besides the main fix above, expected things like trying to hide further encryption side channels and making sure it doesn't break other features that rely in the same encryption calls (like asp.net membership).
eglasius
2010-09-29 17:52:16
A:
The vulnerability relates to flaws introduced by CBC Padding. The full theory behind the attack can be found here. However you must first read up on block cipher modes of operation.
Rook
2010-09-29 18:16:50