Microsoft ASP.NET padding information disclosure (HTTP_IIS_ASP_WebResource_Fetch_Error)

About this signature or vulnerability

Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Host Protection for Desktops, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware, IBM Security Host Protection for Servers (Unix), IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor:

This event triggers when multiple requests to '*/WebResource.axd' results in a large number of 500 errors.

This event is tunable. See tuning parameter details for further information regarding algorithmic details.

The default block response is 'block connection', to help protect your services in the event of an unforeseen false positive. A quarantine blocking rule would be a more appropriate choice for this attack in most instances.


False positives

Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Host Protection for Desktops, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware, IBM Security Host Protection for Servers (Unix), IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor: This event is tunable. It may be possible to configure this event to so that it generates a false positive.

False negatives

Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Host Protection for Desktops, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware, IBM Security Host Protection for Servers (Unix), IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor: This event is tunable. It may be possible to configure this event to so that it generates a false negative.

Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

Proventia Network IDS: XPU 30.091, Proventia-G 1.1 and earlier: XPU 30.091, Proventia Network MFS: XPU 30.091, IBM Security Host Protection for Desktops: 2565, Proventia Network IPS: XPU 30.091, Proventia Server IPS for Linux technology: 30.091, Virtual Server Protection for Vmware: XPU 30.091, IBM Security Host Protection for Servers (Unix): 2.2.2, IBM Security Host Protection for Servers (Windows): 2.1.14.2565, RealSecure Server Sensor: XPU 30.091

Systems affected

Microsoft .NET Framework: 1.0 SP3, Microsoft .NET Framework: 1.1 SP1, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft ASP.NET: 1.1 SP1, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64, Microsoft Windows XP: SP3, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows Server 2008: SP2 x32, Microsoft Windows Server 2008: SP2 x64, Microsoft Windows 7: x64, Microsoft .NET Framework: 2.0 SP2, Microsoft .NET Framework: 3.5, Microsoft .NET Framework: 3.5 SP1, Microsoft Windows 7: x32, Microsoft Windows Server 2008: R2 x64, Microsoft Windows Server 2008: R2 Itanium, Microsoft Windows Server 2008: SP2 Itanium, Microsoft .NET Framework: 3.5.1, Microsoft ASP.NET: 3.5, Microsoft ASP.NET: 4.0, Microsoft ASP.NET: 3.5 SP1, Microsoft ASP.NET: 2.0 SP2, Microsoft ASP.NET: 2.0 SP1, Microsoft ASP.NET: 3.5.1, Microsoft .NET Framework: 4.0, Mono Mono: 1.x, Mono Mono: 2.x

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft .NET Framework could allow a remote attacker to obtain sensitive information, caused by an error in the ASP.Net encryption implementation when decrypting certain cipher text. An attacker could exploit this vulnerability via a padding oracle attack to decrypt the View State object to manipulate encrypted data or read restricted data files downloaded from the ASP.Net application.

Note: This vulnerability also affects other products.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

References

Microsoft Security Advisory (2416728)
Vulnerability in ASP.NET Could Allow Information Disclosure
http://www.microsoft.com/technet/security/advisory/2416728.mspx

Microsoft Security Advisory (2416728)
Security Advisory 2416728 - Workaround Update
http://blogs.technet.com/b/msrc/archive/2010/09/24/security-advisory-2416728-workaround-update.aspx

Microsoft Security Advisory (2416728)
Out of Band Release to Address Microsoft Security Advisory 2416728
http://blogs.technet.com/b/msrc/archive/2010/09/27/out-of-band-release-to-address-microsoft-security-advisory-2416728.aspx

Microsoft Security Bulletin MS10-070
Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)
http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx

IBM Internet Security Systems Protection Alert
Microsoft Vulnerability in ASP.NET Could Allow Information Disclosure
http://www.iss.net/threats/384.html

Offensive Security Exploit Database [10-06-2010]
ASP.NET Padding Oracle Vulnerability (MS10-070)
http://www.exploit-db.com/exploits/15213/

Offensive Security Exploit Database [10-17-2010]
MS10-070 ASP.NET Padding Oracle File Download
http://www.exploit-db.com/exploits/15265/

Offensive Security Exploit Database [10-20-2010]
MS10-070 ASP.NET Auto-Decryptor File Download Exploit
http://www.exploit-db.com/exploits/15292/

EKOPARTY 2010
Padding Oracles Everywhere
http://netifera.com/research/poet//PaddingOraclesEverywhereEkoparty2010.pdf

Mono Web site
ASP.NET Padding Oracle
http://www.mono-project.com/Vulnerabilities#ASP.NET_Padding_Oracle

Mono Web site
Main Page - Mono
http://www.mono-project.com/Main_Page

Microsoft Security Bulletin MS11-078
Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2604930)
http://www.microsoft.com/technet/security/bulletin/ms11-078.mspx

Microsoft Security Bulletin MS12-035
Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2693777)
http://technet.microsoft.com/en-us/security/bulletin/ms12-035

ISS X-Force
Microsoft ASP.NET padding information disclosure
http://www.iss.net/security_center/static/61898.php

CVE
CVE-2010-4007
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4007