对ASP.NET的最新安全漏洞进一步跟进说明
2010-09-19 10:17
537 查看
今天上博客园,看见了关于ASP.NET的安全漏洞,内容大致是:黑客可以下载ASP.NET网站的核心文件(WEB.CONFIG),我估计还可以下载任意文件,例如数据库。
这个BUG基本上是致命的,可是博客园的描述却非常的少,我看了半天也没有明白什么意思,如何攻击,于是挖掘下去。现在把一些明细写出来。
微软原文:
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
黑客如何发起攻击:
代码Before worrying too much, go to http://usenix.org/events/woot10/tech/full_papers/Rizzo.pdf and read the original paper from Rizzo and Duong (May 25th, 2010). The "padded oracle attack" relies on a chaining block cypher (common) but also requires the "oracle". As some have correctly pointed out above, we need to have ASP.NET (or Java since this is not unique to .NET) return the padding error exception. Without that information, the exploit doesn't work. By default, this exception information is not reported by ASP.NET and this is configurable behavior for Java. If you go to the aforementioned link, I think you'll find more interesting reading related to cracking CAPTCHA using this exploit. However, that too requires cooperation from the web site. It's great learning about exploits and even a little fun but the media sure scares a lot of people (and scares up a lot of clicks) by providing this hyperbole. One guy above said he was happy he used Java. Read the PDF above and you will find Rizzo and Duong found the problem with Java (JSF but also Ruby on Rails) and then turned to see if the same exploit would work with ASP.NET. Technically, it is an exploit but if it doesn't happen with properly configured servers (or the default ASP.NET configuration), it's much ado about nothing.
大致意思是,这个问题不仅仅存在在asp.net,而且还有java等。技术上,如果使用了asp.net的默认配置,是不需要担心的(所谓默认配置,就是新建一个asp.net项目的配置,没有做任何修改)。
窗体验证:Asp.net Form Authentication:
--------------------------------------------------
http://www.codeproject.com/KB/aspnet/Forms_Auth_Internals.aspx
这次受影响的,主要是因为启动了asp.net的权限框架,就是这个所谓的窗体验证。 这个窗体验证的原理在上面的连接给出了。
全文小结
------------------------------------
浏览了很多页面,浪费了1个小时,终于有点头绪。
问题在于如果用户使用了微软提供的窗体验证框架,就会出现安全漏洞,被黑客破解了保存安全信息的算法(machine key), 然后获取了管理员权限,下载服务器的文件。
如果整个权限框架是自己写的,那么就不需要担心了。
幸好,我的所有项目代码、框架代码都是自己写的。哈哈哈!
后续补充
--------------------------------------
http://tech.ddvip.com/2008-12/1230195492102937.html
这篇文章是08年发的,非常详细的说明了asp.net的窗体验证中存在的严重安全漏洞。希望各位有时间好好看下。主要是微软的加密算法脑残了,导致黑客容易复制一个验证cookie。
这个BUG基本上是致命的,可是博客园的描述却非常的少,我看了半天也没有明白什么意思,如何攻击,于是挖掘下去。现在把一些明细写出来。
微软原文:
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
黑客如何发起攻击:
代码Before worrying too much, go to http://usenix.org/events/woot10/tech/full_papers/Rizzo.pdf and read the original paper from Rizzo and Duong (May 25th, 2010). The "padded oracle attack" relies on a chaining block cypher (common) but also requires the "oracle". As some have correctly pointed out above, we need to have ASP.NET (or Java since this is not unique to .NET) return the padding error exception. Without that information, the exploit doesn't work. By default, this exception information is not reported by ASP.NET and this is configurable behavior for Java. If you go to the aforementioned link, I think you'll find more interesting reading related to cracking CAPTCHA using this exploit. However, that too requires cooperation from the web site. It's great learning about exploits and even a little fun but the media sure scares a lot of people (and scares up a lot of clicks) by providing this hyperbole. One guy above said he was happy he used Java. Read the PDF above and you will find Rizzo and Duong found the problem with Java (JSF but also Ruby on Rails) and then turned to see if the same exploit would work with ASP.NET. Technically, it is an exploit but if it doesn't happen with properly configured servers (or the default ASP.NET configuration), it's much ado about nothing.
大致意思是,这个问题不仅仅存在在asp.net,而且还有java等。技术上,如果使用了asp.net的默认配置,是不需要担心的(所谓默认配置,就是新建一个asp.net项目的配置,没有做任何修改)。
窗体验证:Asp.net Form Authentication:
--------------------------------------------------
http://www.codeproject.com/KB/aspnet/Forms_Auth_Internals.aspx
这次受影响的,主要是因为启动了asp.net的权限框架,就是这个所谓的窗体验证。 这个窗体验证的原理在上面的连接给出了。
全文小结
------------------------------------
浏览了很多页面,浪费了1个小时,终于有点头绪。
问题在于如果用户使用了微软提供的窗体验证框架,就会出现安全漏洞,被黑客破解了保存安全信息的算法(machine key), 然后获取了管理员权限,下载服务器的文件。
如果整个权限框架是自己写的,那么就不需要担心了。
幸好,我的所有项目代码、框架代码都是自己写的。哈哈哈!
后续补充
--------------------------------------
http://tech.ddvip.com/2008-12/1230195492102937.html
这篇文章是08年发的,非常详细的说明了asp.net的窗体验证中存在的严重安全漏洞。希望各位有时间好好看下。主要是微软的加密算法脑残了,导致黑客容易复制一个验证cookie。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 对ASP.NET的最新安全漏洞进一步跟进说明(转)
- 详解ASP.NET的最新安全漏洞,Padding Oracle攻击原理及其他
- ASP.NET的最新安全漏洞Important: ASP.NET Security Vulnerability
- [转]ASP.NET虚拟主机安全漏洞解决方案
- 检测常见ASP.NET配置安全漏洞
- ASP.NET安全漏洞及对策
- 如何防止ASP.NET应用程序中的SQL注入安全漏洞
- 微软ASP.NET 最新漏洞的解决方案
- ASP.NET 安全漏洞更新补丁已经提供下载
- ASP.NET Form Authentication安全漏洞及对策
- 检测常见ASP.NET配置安全漏洞
- ASP.NET惊爆新安全漏洞 攻击者可访问任意文件
- ASP.NET 惊爆新安全漏洞 攻击者可访问任意文件
- ASP.NET 惊爆新安全漏洞 攻击者可访问任意文件
- ASP.Net的安全相关说明
- asp.net安全漏洞(转载)
- ASP.NET虚拟主机安全漏洞解决方案
- (转载)ASP.NET Form Authentication安全漏洞及对策
- Padding Oracle Attack,ASP.NET 的安全漏洞
- 一起谈.NET技术,ASP.NET 安全漏洞临时解决方案