Vulnerabilities > CVE-2010-3332 - Information Exposure Through AN Error Message vulnerability in Microsoft .Net Framework
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
NONE Summary
Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 8 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Fuzzing for garnering J2EE/.NET-based stack traces, for application mapping An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes any stack traces produced by error messages. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to cause the targeted application to return an error including a stack trace, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. The stack trace enumerates the chain of methods that led up to the point where the error was encountered. This can not only reveal the names of the methods (some of which may have known weaknesses) but possibly also the location of class files and libraries as well as parameter values. In some cases, the stack trace might even disclose sensitive configuration or user information.
- Fuzzing and observing application log data/errors for application mapping An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information.
- Padding Oracle Crypto Attack An attacker is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an attacker is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an attacker is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key. Any cryptosystem can be vulnerable to padding oracle attacks if the encrypted messages are not authenticated to ensure their validity prior to decryption, and then the information about padding error is leaked to the attacker. This attack technique may be used, for instance, to break CAPTCHA systems or decrypt/modify state information stored in client side objects (e.g., hidden fields or cookies). This attack technique is a side-channel attack on the cryptosystem that uses a data leak from an improperly implemented decryption routine to completely subvert the cryptosystem. The one bit of information that tells the attacker whether a padding error during decryption has occurred, in whatever form it comes, is sufficient for the attacker to break the cryptosystem. That bit of information can come in a form of an explicit error message about a padding error, a returned blank page, or even the server taking longer to respond (a timing attack). This attack can be launched cross domain where an attacker is able to use cross-domain information leaks to get the bits of information from the padding oracle from a target system / service with which the victim is communicating. To do so an attacker sends a request containing ciphertext to the target system. Due to the browser's same origin policy, the attacker is not able to see the response directly, but can use cross-domain information leak techniques to still get the information needed (i.e., information on whether or not a padding error has occurred). For instance, this can be done using "img" tag plus the onerror()/onload() events. The attacker's JavaScript can make web browsers to load an image on the target site, and know if the image is loaded or not. This is 1-bit information needed for the padding oracle attack to work: if the image is loaded, then it is valid padding, otherwise it is not.
- Probe Application Error Reporting An Attacker, aware of an application's location (and possibly authorized to use the application) can probe the application's structure and evaluate its robustness by probing its error conditions (not unlike one would during a 'fuzz' test, but more purposefully here) in order to support attacks such as blind SQL injection, or for the more general task of mapping the application to mount another subsequent attack.
- Blind SQL Injection Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the attacker constructs input strings that probe the target through simple Boolean SQL expressions. The attacker can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the attacker determines how and where the target is vulnerable to SQL Injection. For example, an attacker may try entering something like "username' AND 1=1; --" in an input field. If the result is the same as when the attacker entered "username" in the field, then the attacker knows that the application is vulnerable to SQL Injection. The attacker can then ask yes/no questions from the database server to extract information from it. For example, the attacker can extract table names from a database using the following types of queries: If the above query executes properly, then the attacker knows that the first character in a table name in the database is a letter between m and z. If it doesn't, then the attacker knows that the character must be between a and l (assuming of course that table names only contain alphabetic characters). By performing a binary search on all character positions, the attacker can determine all table names in the database. Subsequently, the attacker may execute an actual attack and send something like:
Exploit-Db
description MS10-070 ASP.NET Padding Oracle File Download. CVE-2010-3332. Remote exploit for asp platform id EDB-ID:15265 last seen 2016-02-01 modified 2010-10-17 published 2010-10-17 reporter Agustin Azubel source https://www.exploit-db.com/download/15265/ title ASP.NET Padding Oracle File Download MS10-070 description ASP.NET Padding Oracle Vulnerability (MS10-070). CVE-2010-3332. Remote exploit for asp platform id EDB-ID:15213 last seen 2016-02-01 modified 2010-10-06 published 2010-10-06 reporter Giorgio Fedon source https://www.exploit-db.com/download/15213/ title ASP.NET Padding Oracle Vulnerability MS10-070 description MS10-070 ASP.NET Auto-Decryptor File Download Exploit. CVE-2010-3332. Remote exploit for windows platform id EDB-ID:15292 last seen 2016-02-01 modified 2010-10-20 published 2010-10-20 reporter Agustin Azubel source https://www.exploit-db.com/download/15292/ title ASP.NET Auto-Decryptor File Download Exploit MS10-070
Msbulletin
| bulletin_id | MS10-070 |
| bulletin_url | |
| date | 2010-09-28T00:00:00 |
| impact | Information Disclosure |
| knowledgebase_id | 2418042 |
| knowledgebase_url | |
| severity | Important |
| title | Vulnerability in ASP.NET Could Allow Information Disclosure |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS10-070.NASL description There is an information disclosure vulnerability in ASP.NET, part of the .NET framework. Information can be leaked due to improper error handling during encryption padding. A remote attacker could exploit this to decrypt and modify an ASP.NET application last seen 2020-06-01 modified 2020-06-02 plugin id 49695 published 2010-09-28 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49695 title MS10-070: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(49695); script_version("1.23"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2010-3332"); script_bugtraq_id(43316); script_xref(name:"MSFT", value:"MS10-070"); script_xref(name:"MSKB", value:"2416447"); script_xref(name:"MSKB", value:"2416451"); script_xref(name:"MSKB", value:"2416468"); script_xref(name:"MSKB", value:"2416469"); script_xref(name:"MSKB", value:"2416470"); script_xref(name:"MSKB", value:"2416471"); script_xref(name:"MSKB", value:"2416472"); script_xref(name:"MSKB", value:"2416473"); script_xref(name:"MSKB", value:"2416474"); script_xref(name:"MSKB", value:"2418240"); script_xref(name:"MSKB", value:"2418241"); script_name(english:"MS10-070: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)"); script_summary(english:"Checks version of System.web.dll / System.web.extensions.dll"); script_set_attribute( attribute:"synopsis", value: "The version of the .NET framework installed on the remote host has an information disclosure vulnerability." ); script_set_attribute( attribute:"description", value: "There is an information disclosure vulnerability in ASP.NET, part of the .NET framework. Information can be leaked due to improper error handling during encryption padding. A remote attacker could exploit this to decrypt and modify an ASP.NET application's server-encrypted data. In .NET Framework 3.5 SP1 and above, an attacker could exploit this to download any file within the ASP.NET application, including web.config." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-070"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for the .NET Framework on Windows XP, 2003, Vista, 2008, 7, and 2008 R2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/09/14"); script_set_attribute(attribute:"patch_publication_date", value:"2010/09/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/09/28"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:.net_framework"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS10-070'; kbs = make_list("2416447", "2416451", "2416468", "2416469", "2416470", "2416471", "2416472", "2416473", "2416474", "2418240", "2418241"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING); get_kb_item_or_exit("SMB/Registry/Enumerated"); ver = get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'1,2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (ver == '6.0' && hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); ass_dir = hotfix_get_programfilesdir() + "\Reference Assemblies\Microsoft\Framework"; vuln = 0; # 1.1 SP1 on XP, 2k3 x64, Vista, 2k8 (KB2416447) mising = 0; missing += hotfix_is_vulnerable(os:"5.1", file:"System.Web.dll", version:"1.1.4322.2470", min_version:"1.1.4322.0", dir:"\Microsoft.NET\Framework\v1.1.4322"); missing += hotfix_is_vulnerable(os:"5.2", arch:"x64", file:"System.Web.dll", version:"1.1.4322.2470", min_version:"1.1.4322.0", dir:"\Microsoft.NET\Framework\v1.1.4322"); missing += hotfix_is_vulnerable(os:"6.0", file:"System.Web.dll", version:"1.1.4322.2470", min_version:"1.1.4322.0", dir:"\Microsoft.NET\Framework\v1.1.4322"); if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2416447'); vuln += missing; # 1.1 SP1 on 2k3 x86 (KB2416451) missing = 0; missing += hotfix_is_vulnerable(os:"5.2", arch:"x86", file:"System.Web.dll", version:"1.1.4322.2470", min_version:"1.1.4322.0", dir:"\Microsoft.NET\Framework\v1.1.4322"); if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2416451'); vuln += missing; # 3.5 on XP, 2k3 (KB2416468) missing = 0; missing += hotfix_is_vulnerable(os:"5.1", file:"System.Web.dll", version:"2.0.50727.1887", min_version:"2.0.50727.1433", dir:"\Microsoft.NET\Framework\v2.0.50727"); missing += hotfix_is_vulnerable(os:"5.2", file:"System.Web.dll", version:"2.0.50727.1887", min_version:"2.0.50727.1433", dir:"\Microsoft.NET\Framework\v2.0.50727"); if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2416468'); vuln += missing; # 3.5 on XP, 2k3, Vista, 2k8 (KB2418240) missing = 0; missing += hotfix_is_vulnerable(os:"5.1", file:"System.Web.Extensions.dll", version:"3.5.21022.239", min_version:"3.5.21022.0", path:ass_dir + "\v3.5"); missing += hotfix_is_vulnerable(os:"5.2", file:"System.Web.Extensions.dll", version:"3.5.21022.239", min_version:"3.5.21022.0", path:ass_dir + "\v3.5"); missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"System.Web.Extensions.dll", version:"3.5.21022.239", min_version:"3.5.21022.0", path:ass_dir + "\v3.5"); if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2418240'); vuln += missing; # 3.5 SP1 and 2.0 SP2 on XP, 2k3 (KB2418241) missing = 0; missing += hotfix_is_vulnerable(os:"5.1", file:"System.Web.dll", version:"2.0.50727.3618", min_version:"2.0.50727.3000", dir:"\Microsoft.NET\Framework\v2.0.50727"); missing += hotfix_is_vulnerable(os:"5.1", file:"System.Web.dll", version:"2.0.50727.5053", min_version:"2.0.50727.5000", dir:"\Microsoft.NET\Framework\v2.0.50727"); missing += hotfix_is_vulnerable(os:"5.2", file:"System.Web.dll", version:"2.0.50727.3618", min_version:"2.0.50727.3000", dir:"\Microsoft.NET\Framework\v2.0.50727"); missing += hotfix_is_vulnerable(os:"5.2", file:"System.Web.dll", version:"2.0.50727.5053", min_version:"2.0.50727.5000", dir:"\Microsoft.NET\Framework\v2.0.50727"); if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2418241'); vuln += missing; # 3.5 SP1 on XP, 2k3, Vista, 2k8 (KB2416473) missing = 0; missing += hotfix_is_vulnerable(os:"5.1", file:"System.Web.Extensions.dll", version:"3.5.30729.3644", min_version:"3.5.30729.0", path:ass_dir + "\v3.5"); missing += hotfix_is_vulnerable(os:"5.1", file:"System.Web.Extensions.dll", version:"3.5.30729.5053", min_version:"3.5.30729.5000", path:ass_dir + "\v3.5"); missing += hotfix_is_vulnerable(os:"5.2", file:"System.Web.Extensions.dll", version:"3.5.30729.3644", min_version:"3.5.30729.0", path:ass_dir + "\v3.5"); missing += hotfix_is_vulnerable(os:"5.2", file:"System.Web.Extensions.dll", version:"3.5.30729.5053", min_version:"3.5.30729.5000", path:ass_dir + "\v3.5"); missing += hotfix_is_vulnerable(os:"6.0", file:"System.Web.Extensions.dll", version:"3.5.30729.3644", min_version:"3.5.30729.0", path:ass_dir + "\v3.5"); missing += hotfix_is_vulnerable(os:"6.0", file:"System.Web.Extensions.dll", version:"3.5.30729.5053", min_version:"3.5.30729.5000", path:ass_dir + "\v3.5"); if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2416473'); vuln += missing; # 2.0 SP1 and 3.5 on Vista SP1 and 2008 (KB2416469) missing = 0; missing += hotfix_is_vulnerable(os:"6.0", sp:1, file:"System.web.dll", version:"2.0.50727.1887", min_version:"2.0.50727.1000", dir:"\Microsoft.NET\Framework\v2.0.50727"); if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2416469'); vuln += missing; # 2.0 SP2 and 3.5 SP1 on Vista SP1 and 2008 (KB2416474) missing = 0; missing += hotfix_is_vulnerable(os:"6.0", sp:1, file:"System.web.dll", version:"2.0.50727.3618", min_version:"2.0.50727.3000", dir:"\Microsoft.NET\Framework\v2.0.50727"); missing += hotfix_is_vulnerable(os:"6.0", sp:1, file:"System.web.dll", version:"2.0.50727.5053", min_version:"2.0.50727.4400", dir:"\Microsoft.NET\Framework\v2.0.50727"); if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2416474'); vuln += missing; # 2.0 SP2 and 3.5 SP1 on Vista SP2, 2k8 SP2 (KB2416470) missing = 0; missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"System.web.dll", version:"2.0.50727.4209", min_version:"2.0.50727.3000", dir:"\Microsoft.NET\Framework\v2.0.50727"); missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"System.web.dll", version:"2.0.50727.5053", min_version:"2.0.50727.4400", dir:"\Microsoft.NET\Framework\v2.0.50727"); if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2416470'); vuln += missing; # 3.5.1 on Windows 7 and 2008 R2 (KB2416471) missing = 0; missing += hotfix_is_vulnerable(os:"6.1", sp:0, file:"System.web.dll", version:"2.0.50727.5053", min_version:"2.0.50727.5000", dir:"\Microsoft.NET\Framework\v2.0.50727"); missing += hotfix_is_vulnerable(os:"6.1", sp:0, file:"System.web.dll", version:"2.0.50727.4955", min_version:"2.0.50727.4000", dir:"\Microsoft.NET\Framework\v2.0.50727"); if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2416471'); vuln += missing; # 4.0 on XP, 2k3, Vista, 2k8, 7, 2008 R2 (KB2416472) missing = 0; missing += hotfix_is_vulnerable(os:"5.1", file:"System.Web.dll", version:"4.0.30319.206", min_version:"4.0.30319.0", dir:"\Microsoft.NET\Framework\v4.0.30319"); missing += hotfix_is_vulnerable(os:"5.1", file:"System.Web.dll", version:"4.0.30319.363", min_version:"4.0.30319.300", dir:"\Microsoft.NET\Framework\v4.0.30319"); missing += hotfix_is_vulnerable(os:"5.2", file:"System.Web.dll", version:"4.0.30319.206", min_version:"4.0.30319.0", dir:"\Microsoft.NET\Framework\v4.0.30319"); missing += hotfix_is_vulnerable(os:"5.2", file:"System.Web.dll", version:"4.0.30319.363", min_version:"4.0.30319.300", dir:"\Microsoft.NET\Framework\v4.0.30319"); missing += hotfix_is_vulnerable(os:"6.0", file:"System.Web.dll", version:"4.0.30319.206", min_version:"4.0.30319.0", dir:"\Microsoft.NET\Framework\v4.0.30319"); missing += hotfix_is_vulnerable(os:"6.0", file:"System.Web.dll", version:"4.0.30319.363", min_version:"4.0.30319.300", dir:"\Microsoft.NET\Framework\v4.0.30319"); missing += hotfix_is_vulnerable(os:"6.1", file:"System.Web.dll", version:"4.0.30319.206", min_version:"4.0.30319.0", dir:"\Microsoft.NET\Framework\v4.0.30319"); missing += hotfix_is_vulnerable(os:"6.1", file:"System.Web.dll", version:"4.0.30319.363", min_version:"4.0.30319.300", dir:"\Microsoft.NET\Framework\v4.0.30319"); if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2416472'); vuln += missing; if (vuln > 0) { set_kb_item(name:"SMB/Missing/MS10-070", value:TRUE); hotfix_security_warning(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family SuSE Local Security Checks NASL id SUSE_BYTEFX-DATA-MYSQL-8001.NASL description The FORMS authentication methods of mono ASP.net implementation were vulnerable to a padding oracle attack as described in CVE-2010-3332, as they did encryption after checksum. This update changes the method to checksum after encryption to avoid this attack. last seen 2020-06-05 modified 2012-03-21 plugin id 58408 published 2012-03-21 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/58408 title SuSE 10 Security Update : Mono (ZYPP Patch Number 8001) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(58408); script_version ("1.7"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2010-3332"); script_name(english:"SuSE 10 Security Update : Mono (ZYPP Patch Number 8001)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "The FORMS authentication methods of mono ASP.net implementation were vulnerable to a padding oracle attack as described in CVE-2010-3332, as they did encryption after checksum. This update changes the method to checksum after encryption to avoid this attack." ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-3332.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 8001."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2012/02/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/03/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:4, reference:"bytefx-data-mysql-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLED10", sp:4, reference:"ibm-data-db2-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLED10", sp:4, reference:"mono-core-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLED10", sp:4, reference:"mono-data-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLED10", sp:4, reference:"mono-data-firebird-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLED10", sp:4, reference:"mono-data-oracle-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLED10", sp:4, reference:"mono-data-postgresql-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLED10", sp:4, reference:"mono-data-sqlite-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLED10", sp:4, reference:"mono-data-sybase-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLED10", sp:4, reference:"mono-devel-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLED10", sp:4, reference:"mono-extras-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLED10", sp:4, reference:"mono-locale-extras-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLED10", sp:4, reference:"mono-nunit-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLED10", sp:4, reference:"mono-web-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLED10", sp:4, reference:"mono-winforms-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLED10", sp:4, cpu:"x86_64", reference:"mono-core-32bit-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLES10", sp:4, reference:"mono-core-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLES10", sp:4, reference:"mono-data-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLES10", sp:4, reference:"mono-data-firebird-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLES10", sp:4, reference:"mono-data-oracle-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLES10", sp:4, reference:"mono-data-postgresql-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLES10", sp:4, reference:"mono-data-sqlite-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLES10", sp:4, reference:"mono-data-sybase-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLES10", sp:4, reference:"mono-locale-extras-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLES10", sp:4, reference:"mono-nunit-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLES10", sp:4, reference:"mono-web-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLES10", sp:4, reference:"mono-winforms-1.2.2-12.32.1")) flag++; if (rpm_check(release:"SLES10", sp:4, cpu:"x86_64", reference:"mono-core-32bit-1.2.2-12.32.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else exit(0, "The host is not affected.");NASL family Windows NASL id PADDING_ORACLE_MS10-070.NASL description There is an information disclosure vulnerability in ASP.NET, part of the .NET framework. Information can be leaked due to improper error handling during encryption padding. A remote attacker could exploit this to decrypt and modify an ASP.NET application last seen 2020-06-01 modified 2020-06-02 plugin id 49806 published 2010-10-08 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49806 title MS10-070: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(49806); script_version("1.20"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_cve_id("CVE-2010-3332"); script_bugtraq_id(43316); script_xref(name:"MSFT", value:"MS10-070"); script_xref(name:"MSKB", value:"2416447"); script_xref(name:"MSKB", value:"2416451"); script_xref(name:"MSKB", value:"2416468"); script_xref(name:"MSKB", value:"2416469"); script_xref(name:"MSKB", value:"2416470"); script_xref(name:"MSKB", value:"2416471"); script_xref(name:"MSKB", value:"2416472"); script_xref(name:"MSKB", value:"2416473"); script_xref(name:"MSKB", value:"2416474"); script_xref(name:"MSKB", value:"2418240"); script_xref(name:"MSKB", value:"2418241"); script_name(english:"MS10-070: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) (uncredentialed check)"); script_summary(english:"Test vulnerability of ASP.NET to MS10-070"); script_set_attribute( attribute:"synopsis", value: "The version of the .NET framework installed on the remote host has an information disclosure vulnerability." ); script_set_attribute( attribute:"description", value: "There is an information disclosure vulnerability in ASP.NET, part of the .NET framework. Information can be leaked due to improper error handling during encryption padding. A remote attacker could exploit this to decrypt and modify an ASP.NET application's server-encrypted data. In .NET Framework 3.5 SP1 and above, an attacker could exploit this to download any file within the ASP.NET application, including web.config." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-070"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/09/17"); script_set_attribute(attribute:"patch_publication_date", value:"2010/09/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/08"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:.net_framework"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2010-2020 Tenable Network Security, Inc."); script_dependencie("webmirror.nasl", "http_version.nasl"); script_require_ports("Services/www", 80); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); function base64url_decode(str) { local_var cstr,padlen; # strip last char cstr = substr(str, 0, strlen(str) - 2); # num of '=' to pad padlen = str[strlen(str) -1]; cstr = str_replace(string:cstr, find:"-",replace:"+"); cstr = str_replace(string:cstr, find:"_",replace:"/"); cstr += crap(data:"=",length:padlen); return base64_decode(str:cstr); } function base64url_encode(str) { local_var cstr, idx, padchars; cstr = base64(str:str); # look for '=' idx = stridx(cstr,"="); if(idx != -1) { padchars = substr(cstr, idx, strlen(cstr) -1); cstr = substr(cstr, 0, idx -1); cstr += strlen(padchars); } else # no padding cstr += "0"; cstr = str_replace(string:cstr, find:"+",replace:"-"); cstr = str_replace(string:cstr, find:"/",replace:"_"); return cstr; } # # parse link like url?arg1=value1&arg2=value2... # # ret['url'] = url part # ret['args'] = array of 'arg' associative arrays # function parse_link(link) { local_var ret, arg_pair_l, arg_pair, array, arg, match; match = eregmatch(string:link,pattern:"^(.+)\?(.+)$"); # link with no arguments if(! match) { ret['url'] = link; return ret; } ret['url'] = match[1]; arg_pair_l = split(match[2],sep:"&", keep:FALSE); foreach arg_pair(arg_pair_l) { array = split(arg_pair,sep:"=",keep:FALSE); arg[array[0]] = array[1]; } ret['args'] = arg; return ret; } # Perform the axd check with the given d and t arguments function check_axd_go(port, path, d, t) { local_var req, res, axd, fixed, original, final_url, links, array, item; # Make sure we have all the arguments we need if(isnull(path) || isnull(d) || isnull(t)) return NULL; #decode original = base64url_decode(str:d); #change the last byte fixed = original; fixed[strlen(fixed)-1] = raw_string(ord(fixed[strlen(fixed) - 1]) -1); #re-encode fixed = base64url_encode(str:fixed); #build the final url to request final_url = "/" + path + '?d=' + fixed + '&t=' + t; #Resend the request with the changed padding req = http_mk_get_req(port:port, item: final_url, version: 11); res = http_send_recv_req(port:port, req:req, fetch404:TRUE, exit_on_fail:TRUE); # See if the page contained a padding error if("adding is invalid" >< res[2]) { return path + " returned a padding error."; } else if(("CryptographicException" >< res[2]) || ("Bad Data" >< res[2])) { return path + " returned a runtime error."; } else if("404" >< res[0]) { exit(0, "The web server on port " + port + " returned a 404 error on " + path + " with invalid padding."); } else if("302" >< res[0]) { exit(0, "The web server on port " + port + " returned a HTTP Redirect on " + path + " with invalid padding, which may indicate mitigation is in place."); } else { return NULL; } } function check_axd(port, path) { local_var req, res, axd, fixed, original, final_url, links, array, item; local_var link, result; local_var args; req = http_mk_get_req(port:port, item:path, version: 11); res = http_send_recv_req(port:port, req:req, exit_on_fail:TRUE, fetch404:TRUE); links = egrep(pattern:'\\.axd', string:res[2]); if(!links) return NULL; array = split(links, sep:'\n'); foreach item(array) { item = chomp(item); axd = eregmatch(pattern:'[\'"]([^"\']+\\.axd[^\'"]*)["\']', string:item); if(!isnull(axd)) { if("http" >!< axd[0]) { link = parse_link(link:axd[1]); args = link['args']; result = check_axd_go(port:port, path:link['url'], d:args['d'], t:args['t']); if(!isnull(result)) { return result; } } } } } function check_viewstate_go(port, path, viewstate, event_validation) { local_var viewstate_bin, fixed, postdata, res; # make sure we have all the arguments we need if(isnull(path) || isnull(viewstate) || isnull(event_validation)) return NULL; # Decode viewstate_bin = base64_decode(str: viewstate); # Modify the last character in the string to induce a padding error fixed = viewstate_bin; fixed[strlen(fixed)-1] = raw_string(ord(fixed[strlen(fixed) - 1]) -1); # Re-encode fixed = base64(str:fixed); # URL-encode the strings (we only have to worry about three symbols) fixed = str_replace(string:fixed, find:"+",replace:"%2b"); fixed = str_replace(string:fixed, find:"/",replace:"%2f"); fixed = str_replace(string:fixed, find:"=",replace:"%3d"); event_validation = str_replace(string:event_validation, find:"+",replace:"%2b"); event_validation = str_replace(string:event_validation, find:"/",replace:"%2f"); event_validation = str_replace(string:event_validation, find:"=",replace:"%3d"); postdata = "__VIEWSTATE=" + fixed + "&" + "__EVENTVALIDATION=" + event_validation + "&__VIEWSTATEENCRYPTED=''"; res = http_send_recv3(method: "POST", item: "/", port: port, content_type: "application/x-www-form-urlencoded", data: postdata, exit_on_fail:TRUE, fetch404:TRUE); if("adding is invalid" >< res[2]) { return "Viewstate at " + path + " returned a padding error."; } else if("rypto" >< res[2] && 'xception' >< res[2]) { return "Viewstate at " + path + " returned a cryptographic exception."; } else { return NULL; } } function mk_list() { if (isnull(_FCT_ANON_ARGS[0])) return make_list(); else return make_list(_FCT_ANON_ARGS[0]); } function check_viewstate(port, path) { local_var req, res, viewstate, event_validation; req = http_mk_get_req(port:port, item:path, version: 11); res = http_send_recv_req(port:port, req:req, exit_on_fail:TRUE, fetch404:TRUE); if("__VIEWSTATE" >!< res[2]) { return NULL; } if("__VIEWSTATEENCRYPTED" >!< res[2]) { return NULL; } viewstate = eregmatch(pattern:'<[^>]+hidden[^>]+name=["\']__VIEWSTATE[^>]+value=["\']([^"\']+)["\']', string:res[2]); event_validation = eregmatch(pattern:'<[^>]+hidden[^>]+name=["\']__EVENTVALIDATION[^>]+value=["\']([^"\']+)["\']', string:res[2]); if(isnull(viewstate) || isnull(event_validation)) { return NULL; } return check_viewstate_go(port:port, path:path, viewstate:viewstate[1], event_validation:event_validation[1]); } var port, axd_files, viewstate_files; var axd_count, viewstate_count; port = get_http_port(default:80); # Get a list of .axd files from the webspider script. If CGI scanning is off, # this will be less effective. axd_files = get_kb_list("www/" + port + "/content/extensions/axd"); if(isnull(axd_files)) { var result; # If we don't have the webmirror extension, check the root folder result = check_axd(port:port, path:'/'); if(!isnull(result)) { security_warning(port:port, extra:'\n' + result + '\n'); exit(0); } } else { axd_files = make_list(axd_files); axd_count = 0; foreach axd(axd_files) { var d_list, t_list; d_list = get_kb_list("www/" + port + "/cgi-params" + axd + "/d"); t_list = get_kb_list("www/" + port + "/cgi-params" + axd + "/t"); if(!isnull(d_list) && !isnull(t_list)) { var max, i; d_list = make_list(d_list); t_list = make_list(t_list); max = max_index(d_list); for(i = 0; i < max; i++) { var d, t; d = d_list[i]; t = t_list[i]; if(isnull(t)) t = ''; result = check_axd_go(port:port, path:axd, d:d, t:t); if(!isnull(result)) { security_warning(port:port, extra:'\n' + result + '\n'); exit(0); } } # Limit the number of files we check if(axd_count > 4) break; axd_count++; } } } # Get a list of all .cgis. If CGI scanning is turned off, again, this will be more complicated viewstate_files = get_kb_list('www/' + port + '/cgi'); if(isnull(viewstate_files)) { # Check the root path only var result; result = check_viewstate(port:port, path:'/'); if(!isnull(result)) { security_warning(port:port, extra:'\n' + result + '\n'); exit(0); } } else { viewstate_files = make_list(viewstate_files); viewstate_count = 0; # Search our viewstate files for one with __VIEWSTATEENCRYPTED foreach file(viewstate_files) { var viewstateencrypted; viewstate_encrypted = get_kb_list("www/" + port + "/cgi-params" + file + "/__VIEWSTATEENCRYPTED"); if(!isnull(viewstate_encrypted)) { var viewstate, event_validation, result; lVS = mk_list(get_kb_list("www/" + port + "/cgi-params" + file + "/__VIEWSTATE")); foreach viewstate (lVS) { lEV = mk_list(get_kb_list("www/" + port + "/cgi-params" + file + "/__EVENTVALIDATION")); foreach event_validation (lEV) { result = check_viewstate_go(port:port, path:file, viewstate:viewstate, event_validation:event_validation); if(!isnull(result)) { security_warning(port:port, extra:'\n' + result + '\n'); exit(0); } } } } # Limit the number of files we check if(viewstate_count > 4) break; viewstate_count++; } } exit(0, "The web server on port " + port + " didn't have a vulnerable .axd file or encrypted viewstate that could be found.");NASL family CGI abuses NASL id PADDING_ORACLE.NASL description By manipulating the padding on an encrypted string, Nessus was able to generate an error message that indicates a likely last seen 2020-06-01 modified 2020-06-02 plugin id 50413 published 2010-10-29 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50413 title CGI Generic Padding Oracle code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(50413); script_version("1.16"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_cve_id("CVE-2010-3332"); script_bugtraq_id(43316, 44285); script_xref(name:"MSFT", value:"MS10-070"); script_xref(name:"MSKB", value:"2416447"); script_xref(name:"MSKB", value:"2416451"); script_xref(name:"MSKB", value:"2416468"); script_xref(name:"MSKB", value:"2416469"); script_xref(name:"MSKB", value:"2416470"); script_xref(name:"MSKB", value:"2416471"); script_xref(name:"MSKB", value:"2416472"); script_xref(name:"MSKB", value:"2416473"); script_xref(name:"MSKB", value:"2416474"); script_xref(name:"MSKB", value:"2418240"); script_xref(name:"MSKB", value:"2418241"); script_name(english:"CGI Generic Padding Oracle"); script_summary(english:"Generic padding oracle detection"); script_set_attribute( attribute:"synopsis", value: "A web application hosted on the remote server is potentially prone to a padding oracle attack" ); script_set_attribute( attribute:"description", value: "By manipulating the padding on an encrypted string, Nessus was able to generate an error message that indicates a likely 'padding oracle' vulnerability. Such a vulnerability can affect any application or framework that uses encryption improperly, such as some versions of ASP.net, Java Server Faces, and Mono. An attacker may exploit this issue to decrypt data and recover encryption keys, potentially viewing and modifying confidential data. Note that this plugin should detect the MS10-070 padding oracle vulnerability in ASP.net if CustomErrors are enabled in that." ); script_set_attribute( attribute:"solution", value: "Update the affected server software, or modify the CGI scripts so that they properly validate encrypted data before attempting decryption." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"see_also", value:"http://netifera.com/research/"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-070"); script_set_attribute(attribute:"see_also", value:"https://www.mono-project.com/Vulnerabilities/#ASP.NET_Padding_Oracle"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=623799"); script_set_attribute(attribute:"vuln_publication_date",value:"2010/09/17"); script_set_attribute(attribute:"patch_publication_date",value:"2010/09/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/29"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_MIXED_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2010-2020 Tenable Network Security, Inc."); script_dependencie("webmirror.nasl", "http_version.nasl"); script_require_ports("Services/www", 80); script_exclude_keys("Settings/disable_cgi_scanning"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("byte_func.inc"); include("url_func.inc"); include("torture_cgi.inc"); # Define encoding constants ENCODING_BASE64 = 1; ENCODING_BASE64_URL = 2; ENCODING_HEX = 3; # Define the strings that indicate vulnerability. These will only trigger if they're found by switching # the last bit, not the first bit or no bits, so they can be somewhat general. VULN_STRINGS = make_list('padding', 'runtime', 'runtime error', 'server error', 'cryptographicexception', 'crypto'); # Keep track of what we've already tested so we don't repeat checks cache = make_list(); # If this is still FALSE at the end of execution, don't display the exit message vulnerable = ''; found_encrypted = FALSE; # Decode a URL-encoded Base64 string (used by ASP.net). Basically, it's base64 with different # symbols, and with an integer for padding instead of equal signs. function base64url_decode(str) { local_var cstr,padlen; # strip last char cstr = substr(str, 0, strlen(str) - 2); # num of '=' to pad padlen = str[strlen(str) -1]; cstr = str_replace(string:cstr, find:"-",replace:"+"); cstr = str_replace(string:cstr, find:"_",replace:"/"); cstr += crap(data:"=",length:padlen); return base64_decode(str:cstr); } function base64url_encode(str) { local_var cstr, idx, padchars; cstr = base64(str:str); # look for '=' idx = stridx(cstr,"="); if(idx != -1) { padchars = substr(cstr, idx, strlen(cstr) -1); cstr = substr(cstr, 0, idx -1); cstr += strlen(padchars); } else # no padding cstr += "0"; cstr = str_replace(string:cstr, find:"+",replace:"-"); cstr = str_replace(string:cstr, find:"/",replace:"_"); return cstr; } # Decide if the data given in 'data' is encrypted # # It turns out that this is difficult to do on short strings, so we are going to # solve this by cheating. Basically, check if the string contains any non-ascii # characters (<0x20 or >0x7F). The odds of a 4-character encrypted string having # at least one character that falls outside of ASCII is almost 100%. We also # ignore any string longer than 16 bytes, since those are generally too short # to be encrypted. function is_encrypted(data) { local_var non_ascii, i, b; # Make sure we have a reasonable sized string (encrypted strings tend to be long, and short strings tend to # break our numbers) if(strlen(data) < 16) return FALSE; non_ascii = 0; for(i = 0; i < strlen(data); i++) { b = getbyte(blob:data, pos:i); if(b < 0x20 || b > 0x7F) non_ascii++; } return (non_ascii > (strlen(data) / 4)); } # All encrypted CGI arguments have an encoding. Here is what I've found so far: # ASP.net .axd files - base64-url # ASP.net __VIEWSTATE - base64 # Mono .axd files - hex # Mono __VIEWSTATE - hex # # We give priority to hex. If a string has an even number of characters in the range 0-9 and A-F, we call # it hex and don't try Base64. It's fairly unlikely that a reasonably sized base64 string would be exclusively # hex characters. # # Base64 and Base64 URL are a little more difficult to distinguish. In *most* cases, we're okay, but once in awhile # it may be decoded incorrectly, in which case two different encodings are returned. function decode(data) { local_var decoded_str, decoded; decoded = make_array(); # Get rid of strings that are all numeric (they probably aren't encoded and they pollute our results) if(ereg(string:data, pattern:"^[0-9]+$")) { return NULL; } # Hex strings are a-fA-F0-9. Although it's technically possible for a base64 string to look like this, # it's exceptionally unlikely. if(ereg(string:data, pattern:"^([a-fA-F0-9]{2})+$")) { decoded_str = hex2raw(s:data); if(decoded_str) { decoded[ENCODING_HEX] = decoded_str; return decoded; } } # base64url always has an integer 0, 1, or 2 at the end, and contains letters, numbers, -, and _. The # final byte is the number of padding bytes, so the string length with a number of extra bytes equal # to the final digit has to be a multiple of 4. if(ereg(string:data, pattern:"^[a-zA-Z0-9_-]+[012]$")) { # The last letter represents the length if(((strlen(data) - 1 + int(data[strlen(data)-1])) % 4) == 0) { decoded_str = base64url_decode(str:data); if(decoded_str) decoded[ENCODING_BASE64_URL] = decoded_str; } } # base64 strings are similar, except they can contain + and /, and end with 0 - 2 '=' signs. They are # also a multiple of 4 bytes. if(ereg(string:data, pattern:"^[a-zA-Z0-9/+]+={0,2}$") && (strlen(data) % 4) == 0) { decoded_str = base64_decode(str:data); if(decoded_str) decoded[ENCODING_BASE64] = decoded_str; } if(max_index(keys(decoded)) == 0) return NULL; return decoded; } function encode(data, encoding) { if(encoding == ENCODING_BASE64_URL) return base64url_encode(str:data); if(encoding == ENCODING_BASE64) return base64(str:data); if(encoding == ENCODING_HEX) return hexstr(data); exit(0, "Unknown encoding type was passed to encode(): " + encoding); return NULL; } function go(port, page, new_arg, new_value) { local_var query, arg_value, res; local_var arg, args, arg2; # First, we need to get all the arguments for the page query = page + '?'; # Then get all the arguments, and replace the one we want args = get_cgi_arg_list(port: port, cgi: page); if (max_index(args) == 0) exit(0, "Couldn't get args list"); # Shouldn't ever happen (we already did this check) foreach arg(args) { arg2 = replace_cgi_1arg_token(port: port, arg: arg); if (arg2 == new_arg) { query = query + arg2 + "=" + urlencode(str:new_value) + "&"; } else { arg_value = get_cgi_arg_val_list(port: port, cgi: page, arg: arg); if(max_index(arg_value) == 0 || !arg_value[0]) arg_value = make_list(''); query = query + arg2 + "=" + urlencode(str:arg_value[0]) + "&"; } } query = substr(query, 0, strlen(query)-2); res = http_send_recv3(method:'GET', item:query, port:port, fetch404:TRUE, exit_on_fail:TRUE); return res; } function do_check(port, page, arg, value, encoding) { local_var temp, test_values, i; local_var result, test_results; local_var vuln_string; test_values = make_list(); test_results = make_list(); test_values[0] = value; # The second test is going to change the first bit temp = value; temp[0] = raw_string(ord(value[0]) ^ 1); test_values[1] = temp; # The first test is going to change the last bit temp = value; temp[strlen(value)-1] = raw_string(ord(value[strlen(value) - 1]) ^ 1); test_values[2] = temp; # Encode all the values using the given encoding for(i = 0; i < max_index(test_values); i++) { test_values[i] = encode(data:test_values[i], encoding:encoding); result = go(port:port, page:page, new_arg:arg, new_value:test_values[i]); test_results[i] = tolower(result[0] + result[1] + result[2]); } # If the control test returned an error, then keep going if('200' >!< test_results[0]) return; # Check if changing the last bit produced a result that changing the first bit didn't. These results are based # on a list of error strings. foreach vuln_string(VULN_STRINGS) { if(vuln_string >< test_results[2] && vuln_string >!< test_results[1] && vuln_string >!< test_results[0]) { vulnerable += ' - ' + page + ' [arg=' + arg + ']\n'; return TRUE; } } } function try_check(port, page, arg, value) { local_var cached; local_var decoded, data; local_var key; # Check if we've already looked at this argument foreach cached(cache) if(cached == value) return; cache = make_list(cache, value); # Try decoding the argument decoded = decode(data:value); if(decoded) { # Loop through the possible encryptions foreach key(keys(decoded)) { if(is_encrypted(data:decoded[key])) { found_encrypted = TRUE; do_check(port:port, page:page, arg:arg, value:decoded[key], encoding:key); if (vulnerable && !thorough_tests) break; } } } } port = get_http_port(default:80, embedded: 0); # Get a list of all CGI files. If CGI scanning is turned off, we give up and die if (get_kb_item("Settings/disable_cgi_scanning")) exit(0, "CGI scanning is disabled."); cgi = get_cgi_list(port: port); if (isnull(cgi)) exit(0, "Couldn't find any web applications on the web server on port "+port+"."); # Look for a CGI with an encrypted argument foreach file (cgi) { cgi_args = get_cgi_arg_list(port: port, cgi: file); if(max_index(cgi_args) > 0) { foreach cgi_arg(cgi_args) { values = get_cgi_arg_val_list(port: port, cgi: file, arg: cgi_arg); if(max_index(values) > 0) { cgi_arg = replace_cgi_1arg_token(port: port, arg: cgi_arg); try_check(port:port, page:file, arg:cgi_arg, value:values[0]); if (vulnerable && !thorough_tests) break; } } } } if(vulnerable) { if (report_verbosity > 0) { if (max_index(split(vulnerable)) > 1) { s = "s"; are = "are"; } else { s = ""; are = "is"; } report = '\n' + 'The following page'+s+' / argument'+s+' '+are+' potentially affected :\n' + '\n' + vulnerable; if (!thorough_tests) report += '\n' + 'Note that Nessus stopped searching after one affected script was found.\n' + 'For a complete scan, enable the \'Perform thorough tests\' setting and\n' + 're-scan.\n'; security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else if(found_encrypted) exit(0, "The web server on port " + port + " appears to use encrypted data and appears unaffected."); else exit(0, "The web server on port " + port + " does not appear to use encrypted data so no checks were performed.");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201206-13.NASL description The remote host is affected by the vulnerability described in GLSA-201206-13 (Mono: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Mono and Mono debugger. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could execute arbitrary code, bypass general constraints, obtain the source code for .aspx applications, obtain other sensitive information, cause a Denial of Service, modify internal data structures, or corrupt the internal state of the security manager. A local attacker could entice a user into running Mono debugger in a directory containing a specially crafted library file to execute arbitrary code with the privileges of the user running Mono debugger. A context-dependent attacker could bypass the authentication mechanism provided by the XML Signature specification. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 59651 published 2012-06-22 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59651 title GLSA-201206-13 : Mono: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201206-13. # # The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(59651); script_version("1.9"); script_cvs_date("Date: 2019/08/12 17:35:38"); script_cve_id("CVE-2009-0217", "CVE-2010-3332", "CVE-2010-3369", "CVE-2010-4159", "CVE-2010-4225", "CVE-2010-4254", "CVE-2011-0989", "CVE-2011-0990", "CVE-2011-0991", "CVE-2011-0992"); script_bugtraq_id(35671, 43316, 44351, 44810, 45051, 45711, 47208); script_xref(name:"GLSA", value:"201206-13"); script_name(english:"GLSA-201206-13 : Mono: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201206-13 (Mono: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Mono and Mono debugger. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could execute arbitrary code, bypass general constraints, obtain the source code for .aspx applications, obtain other sensitive information, cause a Denial of Service, modify internal data structures, or corrupt the internal state of the security manager. A local attacker could entice a user into running Mono debugger in a directory containing a specially crafted library file to execute arbitrary code with the privileges of the user running Mono debugger. A context-dependent attacker could bypass the authentication mechanism provided by the XML Signature specification. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201206-13" ); script_set_attribute( attribute:"solution", value: "All Mono debugger users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-util/mono-debugger-2.8.1-r1' All Mono users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-lang/mono-2.10.2-r1'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:mono"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:mono-debugger"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/14"); script_set_attribute(attribute:"patch_publication_date", value:"2012/06/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/06/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-lang/mono", unaffected:make_list("ge 2.10.2-r1"), vulnerable:make_list("lt 2.10.2-r1"))) flag++; if (qpkg_check(package:"dev-util/mono-debugger", unaffected:make_list("ge 2.8.1-r1"), vulnerable:make_list("lt 2.8.1-r1"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Mono"); }NASL family SuSE Local Security Checks NASL id SUSE_11_BYTEFX-DATA-MYSQL-110331.NASL description The following security bugs have been fixed : - Mono was vulnerable to a padding oracle attack. (CVE-2010-3332) - Mono loaded shared libraries from the current directory. (CVE-2010-4159) last seen 2020-06-01 modified 2020-06-02 plugin id 53528 published 2011-04-22 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/53528 title SuSE 11.1 Security Update : Mono (SAT Patch Number 4260)
Oval
| accepted | 2014-08-18T04:00:27.401-04:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| description | Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability." | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| family | windows | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:12365 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| submitted | 2011-02-09T13:00:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| title | ASP.NET Padding Oracle Vulnerability | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| version | 48 |
Seebug
| bulletinFamily | exploit |
| description | MS10-070 ASP.NET Padding Oracle信息泄露漏洞 1.漏洞描述。 ASP.NET由于加密填充验证过程中处理错误不当,导致存在一个信息泄漏漏洞。成功利用此漏洞的攻击者可以读取服务器加密的数据,例如视图状态。 此漏洞还可以用于数据篡改,如果成功利用,可用于解密和篡改服务器加密的数据。 虽然攻击者无法利用此漏洞来执行恶意攻击代码或直接提升他们的用户权限,但此漏洞可用于信息搜集,这些信息可用于进一步攻击受影响的系统。 也就是说虽然不能直接getshell,但是理论上可以读取任意文件,包括数据库配置文件。 2.漏洞标识符: CVE: CVE-2010-3332 3.受影响系统 Microsoft .NET Framework 4.0 Microsoft .NET Framework 3.5 SP1 Microsoft .NET Framework 3.5 Microsoft .NET Framework 2.0 SP2 Microsoft .NET Framework 1.0 SP3 4.漏洞解决办法: 4.1 临时解决办法: * 启用ASP.NET自定义错误并将所有的错误代码都映射到相同的出错页面。 * 创建包含有通用出错消息的error.html文件并保存到根目录。 * 4.2 微软补丁: 微软已经为此发布了一个安全公告(MS10-070)以及相应补丁: http://www.microsoft.com/technet ... 10-070.mspx?pf=true |
| id | SSV:20182 |
| last seen | 2017-11-19 |
| modified | 2010-10-17 |
| published | 2010-10-17 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-20182 |
| title | MS10-070 ASP.NET Padding Oracle File Download |
References
- http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx
- http://isc.sans.edu/diary.html?storyid=9568
- http://pentonizer.com/general-programming/aspnet-poet-vulnerability-what-else-can-i-do/
- http://secunia.com/advisories/41409
- http://securitytracker.com/id?1024459
- http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310
- http://twitter.com/thaidn/statuses/24832350146
- http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
- http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2799/Oracle-Padding-Vulnerability-in-ASP-NET.aspx
- http://www.ekoparty.org/juliano-rizzo-2010.php
- http://www.microsoft.com/technet/security/advisory/2416728.mspx
- http://www.mono-project.com/Vulnerabilities#ASP.NET_Padding_Oracle
- http://www.securityfocus.com/bid/43316
- http://www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-security
- http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html
- http://www.vupen.com/english/advisories/2010/2429
- http://www.vupen.com/english/advisories/2010/2751
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070
- https://exchange.xforce.ibmcloud.com/vulnerabilities/61898
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12365