對(duì)ASP.NET的最新安全漏洞的跟進(jìn)說(shuō)明

Win7之家（ afsion.com.cn）：對(duì)ASP.NET的最新安全漏洞的跟進(jìn)說(shuō)明

      今天看新聞，看見(jiàn)了關(guān)于ASP.NET的安全漏洞，內(nèi)容大致是：黑客可以下載ASP.NET網(wǎng)站的核心文件（WEB.CONFIG），我估計(jì)還可以下載任意文件，例如數(shù)據(jù)庫(kù)。

　　這個(gè)BUG基本上是致命的，可是博客園的描述卻非常的少，我看了半天也沒(méi)有明白什么意思，如何攻擊，于是挖掘下去。現(xiàn)在把一些明細(xì)寫(xiě)出來(lái)。

　　微軟原文：

　　http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

　　黑客如何發(fā)起攻擊：

　　To understand how this vulnerability works, you need to know about cryptographic oracles. An oracle in the context of cryptography is a system which provides hints as you ask it questions. In this case, there is a vulnerability in ASP.NET which acts as a padding oracle. This allows an attacker to send cipher text to the web server and learn if it was decrypted properly by examining which error code was returned by the web server. By making many such requests （and watching what errors are returned） the attacker can learn enough to successfully decrypt the rest of the cipher text.

　　大致意思是關(guān)于 cryptographic oracle. 黑客通過(guò)不斷重復(fù)發(fā)送信息，檢測(cè)返回的錯(cuò)誤信息，然后了解加密算法，最后實(shí)現(xiàn)攻擊�？墒沁@段話(huà)還是沒(méi)有明白，于是繼續(xù)搜索：

　　http://visualstudiomagazine.com/articles/2010/09/14/aspnet-security-hack.aspx  

這篇文章說(shuō)明了大致的攻擊流程。由于這個(gè)問(wèn)題影響非常大，我就不翻譯中文了，只是簡(jiǎn)單概述一下：

　　they can repeatedly modify an ASP.NET Forms Authentication cookie encrypted using AES and, by examining the errors returned, determine the Machine Key used to encrypt the cookie. The process is claimed to be 100 percent reliable and takes between 30 and 50 minutes for any site.

　　2個(gè)研究員發(fā)現(xiàn)，通過(guò)一個(gè)工具，能夠 修改被AES加密過(guò)的 ASP.NET窗體驗(yàn)證cookie;然后檢查返回錯(cuò)誤信息；獲取Machine Key。這個(gè)過(guò)程100%成功而且只需要30分鐘。

　　Once the Machine Key is determined, attackers can create bogus forms authentication cookies. If site designers have chosen the option to embed role information in the security cookie, then attackers could arbitrarily assign themselves to administrator roles. This exposure also affects other membership provider features, spoofing protection on the ViewState, and encrypted information that might be stored in cookies or otherwise be made available at the client.

　　一旦machine key被破解出來(lái)了，黑客就能夠模擬出驗(yàn)證 cookie。如果網(wǎng)站設(shè)計(jì)者啟動(dòng)了選項(xiàng)，讓安全信息放入 security cookie，那么攻擊者就能夠獲取了 管理員權(quán)限。 包含的影響范圍包括：membership provider, viewstate, 保存在security cookie里面的所有信息。

　　While the exposure is both wide and immediate, the fix is simple. The hack exploits a bug in .NET's implementation of AES encryption. The solution is to switch to one of the other encryption mechanisms -- to 3DES, for instance. Since encryption for the membership and roles providers is handled by ASP.NET, no modification of existing code should be required for Forms Authentication.

　　這個(gè)bug源于AES加密算法中的一個(gè)bug。因此解決方案就是：使用DES(后來(lái)被驗(yàn)證是錯(cuò)誤的解決方案)。

第一部分小結(jié)

　　--------------------

　　問(wèn)題的關(guān)鍵字包括：

security cookie, ASP.NET Forms Authentication cookie, Machine Key,role information in the security cookie.
　　大概意思就是，啟動(dòng)了asp.net的驗(yàn)證，并且啟動(dòng)了使用AES加密算法保存敏感信息在驗(yàn)證框架的cookie中后，黑客能夠獲取machinekey，然后獲得管理員權(quán)限。

　　現(xiàn)在問(wèn)題就是，具體是asp.net中什么操作、部署、框架會(huì)受到這個(gè)影響。于是我進(jìn)一步搜索。

　　攻擊方式：padded oracle attack

　　---------------------------------------

　　文章下載地址：http://usenix.org/events/woot10/tech/full_papers/Rizzo.pdf

　　具體我沒(méi)有太明白，也不知道和oracle是什么關(guān)系。不過(guò)有個(gè)回復(fù)說(shuō)的比較詳細(xì)：

Before worrying too much, go to http://usenix.org/events/woot10/tech/full_papers/Rizzo.pdf and read the original paper from Rizzo and Duong (May 25th, 2010). The "padded oracle attack" relies on a chaining block cypher (common) but also requires the "oracle". As some have correctly pointed out above, we need to have ASP.NET (or Java since this is not unique to .NET) return the padding error exception. Without that information, the exploit doesn't work. By default, this exception information is not reported by ASP.NET and this is configurable behavior for Java. If you go to the aforementioned link, I think you'll find more interesting reading related to cracking CAPTCHA using this exploit. However, that too requires cooperation from the web site. It's great learning about exploits and even a little fun but the media sure scares a lot of people (and scares up a lot of clicks) by providing this hyperbole. One guy above said he was happy he used Java. Read the PDF above and you will find Rizzo and Duong found the problem with Java (JSF but also Ruby on Rails) and then turned to see if the same exploit would work with ASP.NET. Technically, it is an exploit but if it doesn't happen with properly configured servers (or the default ASP.NET configuration), it's much ado about nothing.

　　大致意思是，這個(gè)問(wèn)題不僅僅存在在asp.net,而且還有java等。技術(shù)上，如果使用了asp.net的默認(rèn)配置，是不需要擔(dān)心的(所謂默認(rèn)配置，就是新建一個(gè)asp.net項(xiàng)目的配置，沒(méi)有做任何修改)。

窗體驗(yàn)證：Asp.net Form Authentication:

　　--------------------------------------------------

　　http://www.codeproject.com/KB/aspnet/Forms_Auth_Internals.aspx

　　這次受影響的，主要是因?yàn)閱��?dòng)了asp.net的權(quán)限框架，就是這個(gè)所謂的窗體驗(yàn)證。 這個(gè)窗體驗(yàn)證的原理在上面的連接給出了。

　　全文小結(jié)

　　------------------------------------

　　瀏覽了很多頁(yè)面，浪費(fèi)了1個(gè)小時(shí)，終于有點(diǎn)頭緒。

　　問(wèn)題在于如果用戶(hù)使用了微軟提供的窗體驗(yàn)證框架，就會(huì)出現(xiàn)安全漏洞，被黑客破解了保存安全信息的算法(machine key), 然后獲取了管理員權(quán)限，下載服務(wù)器的文件。

　　如果整個(gè)權(quán)限框架是自己寫(xiě)的，那么就不需要擔(dān)心了。

　　幸好，本人所有項(xiàng)目代碼、框架代碼都是自己寫(xiě)的。

---文章來(lái)源eNet