| |||||||
| |||||||
| |||||||
| |||||||
| |||||||
|
Saturday, 13 November 2010
The fight against botnets: Are we winning?
Tuesday, 12 October 2010
Security Articles from MS this month
Security
Microsoft Malware Protection Center Website | RSS Feed
Prehistoric Virtual Machines - 08-Oct-2010
Microsoft Security Response Center MSRC Website | RSS Feed
Advance Notification Service for October 2010 Security Bulletin - 07-Oct-2010
Security Bulletins Comprehensive Website | RSS Feed
Microsoft Security Bulletin Advance Notification for October 2010 - 07-Oct-2010
Security Products Forefront
Forefront Product Suite Website | RSS Feed
Microsoft acquires AVIcode Inc. to extend application management to the cloud - 07-Oct-2010
Forefront Server Security Website | RSS Feed
Hotfix rollup 3 for Forefront Security for Exchange Server SP2 and hotfix rollup 3 for Forefront Security for SharePoint SP3 are now available - 08-Oct-2010
Forefront Threat Management Gateway ISA Server Website | RSS Feed
TMG Reports stop working after installing TMG 2010 SP1 - 05-Oct-2010
Tuesday, 28 September 2010
Out-of-band Security Update for ASP.NET Security Vulnerability
ASP.NET Security Update Shipping Tuesday, Sept 28th
An hour ago Microsoft released an advance notification security bulletin announcing that we are releasing an out-of-band security update to address the ASP.NET Security Vulnerability that Scott has blogged about this past week. The security update is fully tested, and is scheduled for release tomorrow - Tuesday September 28th – at approximately 10:00 AM PDT. The advance notice bulletin is intended to ensure administrators know it is coming, and are better prepared to apply it once the update is available.
We’ll release the update tomorrow via the Microsoft Download Center (He will blog links to the individual downloads for each version of .NET). We will then release the update via Windows Update and the Windows Server Update Service in a few days as we complete final distribution testing via these channels.
Applying the update addresses the ASP.NET Security vulnerability, and once the update is applied to your system the workarounds we have previously blogged about will no longer be required. Until you have installed the update, though, please do make sure to continue using the workarounds.
You can learn more about tomorrow’s security update release from this Microsoft Security Response Center Blog Post as well as the official Advance Notification Bulletin. We will also hold a special webcast for the bulletin release on Tuesday, September 28, 2010 at 1:00 PM PDT, where we will present information on the bulletin and take customer questions. If you are interested in attending the webcast, click here to sign up.
Once again great job MS. We have faith in you… :)
Sunday, 26 September 2010
How to manually check if the ASP.Net application is vulnerable to ASP.Net Padding Exploitation
Before I begin, I would like to say that, the actual reason behind the hue and cry about this vulnerability is the fact that the Microsoft Security Advisory 2416728 quoted that this vulnerability can be "further exploited to view data, such as the View State, which was encrypted by the target server, or even read data from files on the target server, such as the web.config file".
Though, there is no available exploit code in the internet that allows us to check the legitimacy of the above statement but it is true that a vulnerability and exploit code that has been disclosed in such a professional manner would definitely not be released to the public. Although, there are tools and scripts such as POET, PadBuster, AspNetPaddingOracleDetector etc. but they fail to justify what Microsoft has quoted in their Security Advisory and it is acceptable that a public release of the actual exploit code will trigger a sudden burst of malicious activities. Seeing the issue from this perspective lets see, how even without the exploit code in place, we can still try to identify if our ASP.Net applications are vulnerable or not.
Before I move on to the steps, let me quickly give a brief idea about one of the most important factors that aid this exploitation mechanism as this will be the key to our manual judgemental skills.
- When we send a request to the ASP.Net application, it carries ciphertext (__VIEWSTATE parameter, Cookie parameter etc) with it. For some reason, if the ciphertext is invalid, an exception will be thrown, and the system may act according to one of the following scenarios:
- Returns a 500 Internal Server Error
- Returns a 404 Not Found Error
- Return the ASP.Net Yellow Screen Of Death (YSOD) Exception page with or without Stack Trace depending on customErrors settings in the web.config
- Return a page stating only the exception’s message
- Return a constant page, stating there was an error, without providing detail. This is actually the Microsoft’s workaround
- The default ASP.Net way of taking the user to the login page and swallowing the exception completely without displaying any error
Now, it is these behaviors that will help us to identify if our ASP.Net application is vulnerable or not and if the workaround proposed my Microsoft is helping our application to refrain itself from giving hints of its vulnerability to the attacker. Though, the vulnerability would still remain, but it would take the sting off by at first not letting the attacker know of its vulnerability.
The below image shows the requests made on a sample ASP.Net blog application. I would explain each of these requests and responses.
Request 1 to Request 3 is highlited in red and Request 4 to Request 8 is highlited in green. The requests highlited as red means the application's web.config was not set in the way that Microsoft recommended and the requests highlited as green means the application's web.config was set as per Microsoft's recommendation.
Explanation:
Condition 1: Web.Config doesn’t redirect to a single error page. CustomErrors section reads <customErrors mode="On"/> or <customErrors mode="RemoteOnly"/>
Request 1: When we made a request to the application with a valid ciphertext "GET /Blog/WebResource.axd?d=R7QyY48orpGSFdUDj4AslA2" the application gave the response "200 OK"
Request 2: When we made a request to the application with an invalid ciphertext "GET /Blog/WebResource.axd?d=test" the application gave the the response "500 Internal Server Error" because its an invalid ciphertext.
Request 3: When we made a request to the application with no ciphertext "GET /Blog/WebResource.axd?d=" the application gave the the response "404 Not Found" and also said that " The resource cannot be found" because our request didn’t had a resource request encrypted as a ciphertext.
So we see that the application has behaved in three different ways for three different GET requests.
Condition 2: Web.Config redirect to a single error page. CustomErrors section reads <customErrors mode="On" defaultRedirect="error.aspx"/>
Request 4: Same as Request 1. Since it’s a valid request, the application responds with the response "200 OK"
Request 5: The request is same as Request 2 and since its an invalid ciphertext, it triggers an error "500 Internal Server Error" in the server, but since we have the customErrors module in the Web.Config to handle this, it sees that there is the error.aspx that it should serve, however, for redirection to that resource, it sends the response "302 Found" and also adds the Location header "Location: /blog/error.aspx?aspxerrorpath=/Blog/WebResource.axd" to the response so that the client knows its current location. Thus, what it has done is, it has supressed the "500 Internal Server Error" error.
Request 6: The client makes a request for the new resource that came with the previous response. In our case, it’s the "GET /blog/error.aspx?aspxerrorpath=/Blog/WebResource.axd". This request is processed and the error.aspx page served resulting in a "200 OK" response from the server.
Request 7: Similar way, when we request to the application with no ciphertext, it triggers an error "404 Not Found" in the server, but again we have the customErrors module in the Web.Config to handle this, it sees that there is the error.aspx that it should serve, however, for redirection to that resource, it sends the response "302 Found" and also adds the Location header "Location: /blog/error.aspx?aspxerrorpath=/Blog/WebResource.axd" to the response so that the client knows its current location. Thus, what it has done is, it has supressed the "404 Not Found" error.
Request 8: The client makes a request for the new resource that came with the previous response. In our case, it’s the "GET /blog/error.aspx?aspxerrorpath=/Blog/WebResource.axd". This request is processed and the error.aspx page served resulting in a "200 OK" response from the server.
What we have seen is, in simple words, if the application is throwing different errors for different scenarios then it reveals the vulnerability because, on the basis of the different error code that is returned by the web server the atacker can guess if the ciphertext was decrypted properly. By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the rest of the cipher text. Thus, if the application is showing different errors like the above three requests (Request 1 to Request 3) then its revealing its vulnerability.
Furthermore, for added safety, it is recommended that the error.aspx should have a random, small sleep delay. This will obfuscate the time required to serve the error.aspx on even of an error, thus obfuscating the nature of the error further.
The code of the error.aspx with the random sleep delay can be found on the Microsoft Security Advisory 2416728 page.
Saturday, 25 September 2010
Exception event that shows signs of the padding oracle exploitation attack
The below post shows the exception event that shows signs of the attack in progress. Also, found some Dynamic IP Restriction module for IIS 7 that can be used to block this attack.
Exception event that this attack would triger:
What would an attack look like on the network or in my logs?
The publicly disclosed exploit would cause the web server to generate thousands (or more likely tens of thousands) of HTTP 500 and 404 error responses to requests from a malicious client.
We can use stateful filters in the firewall, application or network, or intrusion detection systems on the network to detect such patterns and block such clients. The Dynamic IP Restrictions module supported by IIS 7 can also be used to block these types of attacks.
An attack attempt like this should also generate thousands of warnings in the application event log of your server similar to:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 11/11/1111 11:11:11 AM
Event time (UTC): 11/11/1111 11:11:11 AM
Event ID: 28e71767f3484d1faa90026f0947e945
Event sequence: 133482
Event occurrence: 44273
Event detail code: 0
Application information:
Application domain: c1db5830-1-129291000036654651
Trust level: Full
Application Virtual Path: /
Application Path: C:\foo\TargetWebApplication\
Machine name: FOO
Process information:
Process ID: 3784
Process name: WebDev.WebServer40.exe
Account name: foo
Exception information:
Exception type: CryptographicException
Exception message: Padding is invalid and cannot be removed.
The highlighted exception detail is the most important piece of information in the event log entry to look for. It is possible to hit this error while developing new ASP.NET website code, and it can happen in certain production environments. However, if it did not appear on your production servers until recently, it is possible that it indicates an attack. Verifying that the time of these exceptions corresponds to the large number of requests described above would increase the confidence that this entry was caused by an attack.
Note that there are non-attack reasons to see this error as well (including cases where you have mismatched keys on a web-farm, or a search engine is following links incorrectly, etc), so its presence does not always necessarily indicate an attack, however, we can take preventive measures.
The exception also does not mean that an attack was successful. Implementing the <customErrors> workaround we have provided can protect your application from the public exploit, and ensure that these exceptions do not disclose information that an attacker can use against the application.
Complete description of why we should follow this workaround:
Well, while the workaround contains a really valuable information, relevant for every system (as for not disclosing the real error), and it will prevent the automated tool released by the researchers to hack your system, it will, by far, NOT protect you from a potential attack!
How so? The workaround assumes that the potential attacker will look for an HTTP error response status (500), or for an error page containing a specific exception message. However, it is enough for attacker to recognize an abnormal, or just different system behavior on certain requests.
Let’s get back to our ASP.NET system that stores an encrypted sensitive information in a cookie. Each request, the system will probably decrypt this information and use it. In case the ciphertext in a cookie is invalid, an exception will be thrown, and the system may act according to one of the following scenarios:
· Return a 500 error response - very user unfriendly!
· Return a default ASP.NET YSOD exception page - extremely bad in production environment!
· Return a page stating only the exception’s message - also very bad!
· Return a constant page, stating there was an error, without providing details– a good practice, this is actually the Microsoft’s workaround
· “Swallow” the exception, and behave like the cookie does not exist. The response may be a redirect to another pager, or just a a slightly changed HTML (instead of user’s name, a “login” link) – This is the way ASP.NET Forms Authentication works.
Note that every one of the possible responses is different from the normal one. Even the last scenario described above, as clean as it is, still returns a distinctively different response. Therefore, an attacker can take advantage of it, and write a simple script that infers this abnormal behavior to an Invalid Oracle’s answer. It is that simple!
Some useful links related to this attack:
Dynamic IP Restriction: http://www.iis.net/download/DynamicIPRestrictions
URLScan - IIS 6.0 and lesser: http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx
RequestFiltering - IIS 7.0 and above: http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering
Sharepoint Workaround: http://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx
Tuesday, 21 September 2010
Microsoft Security Articles
Microsoft Malware Protection Center Website | RSS Feed
Hold on to your keys! - 17-Sep-2010
MSRT sets its sights on FakeCog - 14-Sep-2010
Microsoft Security Response Center MSRC Website | RSS Feed
Security Advisory 2416728 Released - 18-Sep-2010
Q&A from the September 2010 Security Release Bulletin Webcast - 17-Sep-2010
September 2010 Security Bulletin Release - 13-Sep-2010
MSRC Ecosystem Strategy Website | RSS Feed
Internet troubles in Korea? E-call center 118 is there to help. - 17-Sep-2010
Security Bulletins Advisories Website | RSS Feed
Microsoft Security Advisory (2416728): Vulnerability in ASP.NET Could Allow Information Disclosure - 9/17/2010 - 17-Sep-2010
Microsoft Security Advisory (973811): Extended Protection for Authentication - 9/14/2010 - 14-Sep-2010
Microsoft Security Advisory (2401593): Vulnerability in Outlook Web Access Could Allow Elevation of Privilege - 9/14/2010 - 14-Sep-2010
Security Bulletins Comprehensive Website | RSS Feed
MS10-050 - Important: Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997) - Version:1.2 - 15-Sep-2010
Microsoft Security Advisory (973811): Extended Protection for Authentication - 14-Sep-2010
Microsoft Security Bulletin Summary for September 2010 - 14-Sep-2010
MS10-069 - Important: Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege (2121546) - Version:1.0 - 14-Sep-2010
MS10-068 - Important: Vulnerability in Local Security Authority Subsystem Service Could Allow Elevation of Privilege (983539) - Version:1.0 - 14-Sep-2010
MS10-067 - Important: Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2259922) - Version:1.0 - 14-Sep-2010
MS10-066 - Important: Vulnerability in Remote Procedure Call Could Allow Remote Code Execution (982802) - Version:1.0 - 14-Sep-2010
MS10-065 - Important: Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution (2267960) - Version:1.0 - 14-Sep-2010
MS10-064 - Critical: Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2315011) - Version:1.0 - 14-Sep-2010
MS10-063 - Critical: Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution (2320113) - Version:1.0 - 14-Sep-2010
MS10-062 - Critical: Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution (975558) - Version:1.0 - 14-Sep-2010
MS10-061 - Critical: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Version:1.0 - 14-Sep-2010
Microsoft Security Advisory (2401593): Vulnerability in Outlook Web Access Could Allow Elevation of Privilege - 14-Sep-2010
The Security Development Lifecycle Website | RSS Feed
Congratulations to Steve Lipner - 17-Sep-2010
Forefront Client Security Website | RSS Feed
Understanding how Forefront Client Security responds to potentially unwanted software - 17-Sep-2010
Using a script to automate UNC definition updates - 16-Sep-2010
Announcing the Forefront Endpoint Protection Community Evaluation Program - 14-Sep-2010
New notification resource… - 14-Sep-2010
Forefront Server Security Website | RSS Feed
Problems downloading updates for the Kaspersky 8 antivirus engine after installing FSSMC Hotfix Rollup 5 and FSE Service Pack 2 Rollup 2 - 15-Sep-2010
Forefront Threat Management Gateway ISA Server Website | RSS Feed
Unable to download files larger than 4GB through ISA 200x – works fine in TMG - 16-Sep-2010
Forefront TMG/UAG Help Wanted at Microsoft in Stockholm - 15-Sep-2010
TMG Quick Tip: Unable to Join a TMG to an Existing Array - 14-Sep-2010
Forefront Unified Application Gateway UAG Website | RSS Feed
How to enable Remote Desktop Sharing (RDS/RDP) from corporate machines to DirectAccess connected machines - 14-Sep-2010
Sunday, 19 September 2010
Important: ASP.NET Security Vulnerability
This post has been shared by Scott Guthrie
Thanks Scott for posting this workaround.
Important: ASP.NET Security Vulnerability
A few hours ago we released a Microsoft Security Advisory about a security vulnerability in ASP.NET. This vulnerability exists in all versions of ASP.NET.
This vulnerability was publically disclosed late Friday at a security conference. We recommend that all customers immediately apply a workaround (described below) to prevent attackers from using this vulnerability against your ASP.NET applications.
What does the vulnerability enable?
An attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data).
At attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page).
How the Vulnerability Works
To understand how this vulnerability works, you need to know about cryptographic oracles. An oracle in the context of cryptography is a system which provides hints as you ask it questions. In this case, there is a vulnerability in ASP.NET which acts as a padding oracle. This allows an attacker to send cipher text to the web server and learn if it was decrypted properly by examining which error code was returned by the web server. By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the rest of the cipher text.
How to Workaround The Vulnerability
A workaround you can use to prevent this vulnerability is to enable the <customErrors> feature of ASP.NET, and explicitly configure your applications to always return the same error page - regardless of the error encountered on the server. By mapping all error pages to a single error page, you prevent a hacker from distinguishing between the different types of errors that occur on a server.
Important: It is not enough to simply turn on CustomErrors or have it set to RemoteOnly. You also need to make sure that all errors are configured to return the same error page. This requires you to explicitly set the “defaultRedirect” attribute on the <customErrors> section and ensure that no per-status codes are set.
Enabling the Workaround on ASP.NET V1.0 to V3.5
If you are using ASP.NET 1.0, ASP.NET 1.1, ASP.NET 2.0, or ASP.NET 3.5 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:
1) Edit your ASP.NET Application’s root Web.Config file. If the file doesn’t exist, then create one in the root directory of the application.
2) Create or modify the <customErrors> section of the web.config file to have the below settings:
<configuration>
<system.web>
<customErrors mode="On" defaultRedirect="~/error.html" />
</system.web>
</configuration>
3) You can then add an error.html file to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.
Notes: The important things to note above is that customErrors is set to “on”, and that all errors are handled by the defaultRedirect error page. There are not any per-status code error pages defined – which means that there are no <error> sub-elements within the <customErrors> section. This avoids an attacker being able to differentiate why an error occurred on the server, and prevents information disclosure.
Enabling the Workaround on ASP.NET V3.5 SP1 and ASP.NET 4.0
If you are using ASP.NET 3.5 SP1 or ASP.NET 4.0 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:
1) Edit your ASP.NET Application’s root Web.Config file. If the file doesn’t exist, then create one in the root directory of the application.
2) Create or modify the <customErrors> section of the web.config file to have the below settings. Note the use of redirectMode=”ResponseRewrite” with .NET 3.5 SP1 and .NET 4.0:
<configuration>
<system.web>
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />
</system.web>
</configuration>
3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.
4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.
VB Version
Below is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save this Error.aspx file into the application directory on your web-server:
<%@ Page Language="VB" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>
<script runat="server">
Sub Page_Load()
Dim delay As Byte() = New Byte(0) {}
Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()
prng.GetBytes(delay)
Thread.Sleep(CType(delay(0), Integer))
Dim disposable As IDisposable = TryCast(prng, IDisposable)
If Not disposable Is Nothing Then
disposable.Dispose()
End If
End Sub
</script>
<html>
<head runat="server">
<title>Error</title>
</head>
<body>
<div>
Sorry - an error occured
</div>
</body>
</html>
C# Version
Below is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save it into the application directory on your web-server:
<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>
<script runat="server">
void Page_Load() {
byte[] delay = new byte[1];
RandomNumberGenerator prng = new RNGCryptoServiceProvider();
prng.GetBytes(delay);
Thread.Sleep((int)delay[0]);
IDisposable disposable = prng as IDisposable;
if (disposable != null) { disposable.Dispose(); }
}
</script>
<html>
<head runat="server">
<title>Error</title>
</head>
<body>
<div>
An error occurred while processing your request.
</div>
</body>
</html>
How to Verify if the Workaround is Enabled
Once you have applied the above workaround, you can test to make sure the <customErrors> section is correctly configured by requesting a URL like this from your site: http://mysite.com/pagethatdoesnotexist.aspx
If you see the custom error page appear (because the file you requested doesn’t exist) then your configuration should be setup correctly. If you see a standard ASP.NET error then it is likely that you missed one of the steps above. To see more information about what might be the cause of the problem, you can try setting <customErrors mode=”remoteOnly”/> – which will enable you to see the error message if you are connecting to the site from a local browser.
How to Find Vulnerable ASP.NET Applications on Your Web Server
We have published a .vbs script that you can save and run on your web-server to determine if there are ASP.NET applications installed on it that either have <customErrors> turned off, or which differentiate error messages depending on status codes.
You can download the .vbs script here. Simply copy/paste the script into a text file called “DetectCustomErrors.vbs” and save it to disk. Then launch a command window that is elevated as admin and run “cscript DetectCustomErrors.vbs” to run it against your local web-server. It will enumerate all of the applications within your web server and verify that the correct <customErrors> configuration has been specified.
It will flag any application where it finds that an application’s web.config file doesn’t have the <customErrors> section (in which case you need to add it), or doesn’t have it set correctly to workaround this attack (in which case you need to update it). It will print “ok” for each application web.config file it finds that is fine. This should hopefully make it easier to locate issues.
Note: We have developed this detection script over the last few hours, and will be refining it further in the future. I will post an update in this section each time we make a change to it.
How to Find More Information about this Vulnerability
You can learn more about this vulnerability from:
- Microsoft Security Advisory 2416728
- Understanding the ASP.NET Vulnerability
- Microsoft Security Response Center Blog Post
Microsoft will be releasing a patch that can be used to correct the root cause of the issue (and avoid the need for the above workaround).
Until then, please apply the above workaround to all of your ASP.NET applications to prevent attackers from exploiting it.
Thursday, 16 September 2010
Spyware and Viruses: What's the Difference?
| ||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||
|