【IT168 资讯】今天看新闻,看见了关于ASP.NET的安全漏洞,内容大致是:黑客可以下载ASP.NET网站的核心文件(WEB.CONFIG),我估计还可以下载任意文件,例如数据库。
这个BUG基本上是致命的,可是博客园的描述却非常的少,我看了半天也没有明白什么意思,如何攻击,于是挖掘下去。现在把一些明细写出来。
微软原文:
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
黑客如何发起攻击:
To understand how this vulnerability works, you need to know about cryptographic oracles. An oracle in the context of cryptography is a system which provides hints as you ask it questions. In this case, there is a vulnerability in ASP.NET which acts as a padding oracle. This allows an attacker to send cipher text to the web server and learn if it was decrypted properly by examining which error code was returned by the web server. By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the rest of the cipher text.
大致意思是关于 cryptographic oracle. 黑客通过不断重复发送信息,检测返回的错误信息,然后了解加密算法,最后实现攻击。可是这段话还是没有明白,于是继续搜索:
http://visualstudiomagazine.com/articles/2010/09/14/aspnet-security-hack.aspx
这篇文章说明了大致的攻击流程。由于这个问题影响非常大,我就不翻译中文了,只是简单概述一下:
they can repeatedly modify an ASP.NET Forms Authentication cookie encrypted using AES and, by examining the errors returned, determine the Machine Key used to encrypt the cookie. The process is claimed to be 100 percent reliable and takes between 30 and 50 minutes for any site.
2个研究员发现,通过一个工具,能够 修改被AES加密过的 ASP.NET窗体验证cookie;然后检查返回错误信息;获取Machine Key。这个过程100%成功而且只需要30分钟。
Once the Machine Key is determined, attackers can create bogus forms authentication cookies. If site designers have chosen the option to embed role information in the security cookie, then attackers could arbitrarily assign themselves to administrator roles. This exposure also affects other membership provider features, spoofing protection on the ViewState, and encrypted information that might be stored in cookies or otherwise be made available at the client.
一旦machine key被破解出来了,黑客就能够模拟出验证 cookie。如果网站设计者启动了选项,让安全信息放入 security cookie,那么攻击者就能够获取了 管理员权限。 包含的影响范围包括:membership provider, viewstate, 保存在security cookie里面的所有信息。
While the exposure is both wide and immediate, the fix is simple. The hack exploits a bug in .NET's implementation of AES encryption. The solution is to switch to one of the other encryption mechanisms -- to 3DES, for instance. Since encryption for the membership and roles providers is handled by ASP.NET, no modification of existing code should be required for Forms Authentication.
这个bug源于AES加密算法中的一个bug。因此解决方案就是:使用DES(后来被验证是错误的解决方案)。
