Microsoft ASP.NET padding information disclosure (HTTP_IIS_ASP_WebResource_Fetch_Error)

About this signature or vulnerability

Proventia Network IDS, IBM Security Host Protection for Desktops, Proventia Network IPS, RealSecure Network, RealSecure Server Sensor, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Host Protection for Servers (Windows), Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology, IBM Security Host Protection for Servers (Unix):

This event triggers when multiple requests to '*/WebResource.axd' results in a large number of 500 errors.

This event is tunable. See tuning parameter details for further information regarding algorithmic details.

The default block response is 'block connection', to help protect your services in the event of an unforseen false positive. A quarentine blocking rule would be a more appropriate choice for this attack in most instances.

False positives

False negatives

Default risk level

Medium risk vulnerability Medium

Sensors that have this signature

Proventia Network IDS: XPU 30.091, IBM Security Host Protection for Desktops: 2565, Proventia Network IPS: XPU 30.091, RealSecure Network: XPU 30.091, RealSecure Server Sensor: XPU 30.091, Proventia-G 1.1 and earlier: XPU 30.091, Proventia Network MFS: XPU 30.091, IBM Security Host Protection for Servers (Windows): 2.1.14.2565, Virtual Server Protection for Vmware: XPU 30.091, Proventia Server IPS for Linux technology: 30.091, IBM Security Host Protection for Servers (Unix): 2.2.2

Systems affected

Microsoft .NET Framework: 1.0 SP3, Microsoft .NET Framework: 1.1 SP1, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft ASP.NET: 1.1 SP1, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64, Microsoft Windows XP: SP3, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows Server 2008: SP2 x32, Microsoft Windows Server 2008: SP2 x64, Microsoft Windows 7: x64, Microsoft .NET Framework: 2.0 SP2, Microsoft .NET Framework: 3.5, Microsoft .NET Framework: 3.5 SP1, Microsoft Windows 7: x32, Microsoft Windows Server 2008: R2 x64, Microsoft Windows Server 2008: R2 Itanium, Microsoft Windows Server 2008: SP2 Itanium, Microsoft .NET Framework: 3.5.1, Microsoft ASP.NET: 3.5, Microsoft ASP.NET: 4.0, Microsoft ASP.NET: 3.5 SP1, Microsoft ASP.NET: 2.0 SP2, Microsoft ASP.NET: 2.0 SP1, Microsoft ASP.NET: 3.5.1, Microsoft .NET Framework: 4.0, Mono Mono: 1.x, Mono Mono: 2.x

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft .NET Framework could allow a remote attacker to obtain sensitive information, caused by an error in the ASP.Net encryption implementation when decrypting certain cipher text. An attacker could exploit this vulnerability via a padding oracle attack to decrypt the View State object to manipulate encrypted data or read restricted data files downloaded from the ASP.Net application.

Note: This vulnerability also affects other products.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

References

Microsoft Security Advisory (2416728)
Vulnerability in ASP.NET Could Allow Information Disclosure
http://www.microsoft.com/technet/security/advisory/2416728.mspx

Microsoft Security Advisory (2416728)
Security Advisory 2416728 - Workaround Update
http://blogs.technet.com/b/msrc/archive/2010/09/24/security-advisory-2416728-workaround-update.aspx

Microsoft Security Advisory (2416728)
Out of Band Release to Address Microsoft Security Advisory 2416728
http://blogs.technet.com/b/msrc/archive/2010/09/27/out-of-band-release-to-address-microsoft-security-advisory-2416728.aspx

Microsoft Security Bulletin MS10-070
Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)
http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx

IBM Internet Security Systems Protection Alert
Microsoft Vulnerability in ASP.NET Could Allow Information Disclosure
http://www.iss.net/threats/384.html

Offensive Security Exploit Database [10-06-2010]
ASP.NET Padding Oracle Vulnerability (MS10-070)
http://www.exploit-db.com/exploits/15213/

Offensive Security Exploit Database [10-17-2010]
MS10-070 ASP.NET Padding Oracle File Download
http://www.exploit-db.com/exploits/15265/

Offensive Security Exploit Database [10-20-2010]
MS10-070 ASP.NET Auto-Decryptor File Download Exploit
http://www.exploit-db.com/exploits/15292/

EKOPARTY 2010
Padding Oracles Everywhere
http://netifera.com/research/poet//PaddingOraclesEverywhereEkoparty2010.pdf

Mono Web site
ASP.NET Padding Oracle
http://www.mono-project.com/Vulnerabilities#ASP.NET_Padding_Oracle

Mono Web site
Main Page - Mono
http://www.mono-project.com/Main_Page

Microsoft Security Bulletin MS11-078
Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2604930)
http://www.microsoft.com/technet/security/bulletin/ms11-078.mspx

Microsoft Security Bulletin MS12-035
Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2693777)
http://technet.microsoft.com/en-us/security/bulletin/ms12-035

ISS X-Force
Microsoft ASP.NET padding information disclosure
http://www.iss.net/security_center/static/61898.php

CVE
CVE-2010-2057
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2057