Monday, 20 September 2010

Twenty Questions

Attacking an Oracle

The biggest and loudest exploit of recent times has to be that ASP.NET crypto vulnerability.

Publicly disclosed at a security conference (ekoparty in Argentina) on the evening of Friday 17th September, it seems to have been reported and commented on at every visible blog to date. So, here's another couple more comments about it!

Microsoft immediately attested to the seriousness of the vulnerability by issuing Security Advisory 2416728: "Vulnerability in ASP.NET Could Allow Information Disclosure", showing that it affects all versions of ASP.NET. Soon after, Scott Guthrie provided a short background description of cryptographic oracles, including padding oracles, which is what this particular ASP.NET vulnerability turns out to be. Ask it a question, by means of sending the web server some cipher text; and it will answer, selecting from its extensive collection of error codes.

Patience and Perseverance

These oracle attacks are very subtle by their nature. But keep watching these responses, and soon you'll be able to decrypt the rest of the cipher text.

One of the main lessons here is the same as that for last month's quantum crypto hack: practical implementations can easily nullify the effectiveness of even the very best and most secure theoretical edifice. It takes a huge amount of effort to build your own secure systems from scratch. But by the same token, so to speak: whenever possible you should use the established secure systems provided by others, the main players in the field.

For even when as here, they go wrong, you can be assured of two things:
  1. An immediate workaround (in this case, overriding all of your server's error codes meantime with a single one - but do go to Scott's post and follow the remedy exactly without trying to simplify it - oracle-type attacks seep like water through the cracks!
  2. Thorough investigations toward a resolution, e.g. via the Microsoft Active Protections Program (MAPP), and visibility through the Common Vulnerabilities and Exposures database (CVE).
Remember: apply Scott's fix literally, comprehensively and completely.

No comments:

Post a Comment