Cryptographic keys can be stolen from ASP.NET web applications by modifying cookies and reviewing the resulting errors — an information disclosure vulnerability from a side channel attack. This video shows the Padding Oracle Exploit Tool (POET) in action:
Details can be found here: Padding Oracle Crypto Attack (POCA)
The attack allows someone to decrypt sniffed cookies, which could contain valuable data such as bank balances, Social Security numbers or crypto keys. The attacker may also be able to create authentication tickets for a vulnerable Web app and abuse other processes that use the application’s crypto API.
[…]
If the padding is invalid, the error message that the sender gets will give him some information about the way that the site’s decryption process works. Rizzo and Duong said that the attack is reliable 100 percent of the time on ASP.NET applications, although the time to success can vary widely. The real limiting resources in this attack are the speed of the server and the bandwidth available.
They say the longest attack time so far has been just 50 minutes. They do not say what the longest time is to fix a site and prevent the attack path.
Microsoft is investigating and discussing a fix. Since it is an information disclosure vulnerability I expect they will enhance the ability to redirect or completely suppress errors. They also may add some randomness of errors to reduce timing attacks — attempts to guess information by the time it takes to respond. Either way, it was already a best practice to suppress errors to prevent information disclosure.
Edited to add (Sep 28th):
- Here is a great introduction to Padding Oracle Attack, including Python code
- Microsoft has released a patch, which has to be manually installed from their download center. They also give the following recommendations, as I predicted above:
Until the patch has been installed, administrators should configure servers to only respond with a single error page, meaning that all server errors should return the same error page so that an attacker would not be able to determine which part of their request was deciphered properly. In addition to this, modify the Page_Load() function within the custom error page to pause for a short random sleep delay before sending the error response.
Administrators should watch for errors with the following message: “CryptographicException” and/or “Padding is invalid and cannot be removed” as these could be an indicator that an attacker may be trying to exploit this vulnerability against an IIS server.