Monday, September 20, 2010

My workaround for the ASP.Net Vulnerability

So over night I hacked together a quick work around that I think (No waranty, YMMV, and all that) will help with this advisory from Microsoft.
The vulnerability seems to rely on getting different responses for different errors with a potential second gen attack using timing information to glean the same information (albeit more slowly) from requests toWebResource.axd. I attempt to work around both of these here.

The first thing you are going to need is a custom HttpHandler, which we are going to use to wrap requests to WebResource.axd
here is the code:
Basically this looks for the two exceptions in question and throws a 404 for either one. Since this is only for embedded resources I don't think this will cause a problem for AJAX in most cases, but if so you could probably figure out a carve out that would leave them working.

the next thing we need to do is to wire up our handler to some arbitrary file extension in your web.config (see below)
Now we just need to get IIS to route requests through our fixed handler and were done. I used the URLRewrite module found here and mapped WebRequest.axd to the new URL that I attached my handler too.




feedback welcome.

4 comments:

  1. Nicely done.
    It would be nice to also somehow restrict what files are accessible through WebResource.axd either by having a white-list in web.config, or having a white-list of extensions, or at least black-listing the obvious things like web.config, or limiting it based on the ACL of the requested file.

    ReplyDelete
  2. Adding some filtering would be a good idea, but poking around the HttpContext and the Response I don't see any clues as to what file/resource its returning. The request string only cypher text which more than likely contains the resource that is being requested. I'm not exactly sure how to decrypt it without specifying a machine key in the web.conf file which seems like a bad idea.

    I'm more of a client side developer than an ASP.Net developer so its possible I'm missing something obvious here.

    ReplyDelete
  3. I got it doing filtering its still a hack and if we don't get a proper fix from MS by the weekend I'll add some polish and put it on codeplex

    ReplyDelete