Diving into Oracle Padding Attack

Posted: December 27, 2012 in Web Applications
Tags: , ,
A couple of days ago while auditing one Asp.net application, I found the application vulnerable to Oracle padding attack .I did some research and found the following links to be very useful to do the exploitation.
 
Initially as i read according to wiki it says: In cryptography, the padding oracle attack is an attack on the CBC mode of operation, where the “oracle” (usually a server) leaks data about whether the padding of an encrypted message is correct or not.This can allow attackers to decrypt (and sometimes encrypt) messages through the oracle using the oracle’s key, without knowing the encryption key. it can be detected manually viewing the source and following webresource.axd?d=[hash] or by using a script :
 
http://blog.dotsmart.net/2010/09/22/asp-net-padding-oracle-detector/
 
I searched for exploiting the vulnerability using padbuster perl script.
 
https://github.com/GDSSecurity/PadBuster/blob/master/padBuster.pl
http://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html
 
Only the specific perl set up works for that padbuster :
http://strawberry-perl.googlecode.com/files/strawberry-perl-5.12.3.0.msi
(Note : active perl doesn’t work in this case)
 
Details has been given how to proceed in the following link below
 
http://www.securitylearn.net/tag/padding-oracle-attack/
 
Our Objective is to get some juicy info inside web.config file in the application. The video explains the scenario of the application when the padding was successful.
 
http://www.youtube.com/watch?v=tlCRivo8Sis.
 
Next question arise how to mitigate this vulnerability :
 
  A patch was released by Microsoft after Juliano Rizzo and Thai Duong discovered the vulnerability which is to be found in the link below.
 
(1.)   http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx
(2.)  http://technet.microsoft.com/en-us/security/bulletin/MS10-070
(3.)  http://www.subodh.com/Blog/PostID/116/DotNetNuke-ASP-NET-Security-Vulnerability-Fix
(4.)  https://devcentral.f5.com/weblogs/macvittie/archive/2010/10/01/f5-friday-mitigating-the-lsquopadding-oraclersquo-exploit-for-asp.net.aspx
 
(5.) OWASP link : https://www.owasp.org/index.php/ASP.NET_POET_Vulnerability
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s