ASP.Net 'zero day' Vulnerability 'Padding Oracle Exploit'

Microsoft released Security Advisory 2416728 describing a publicly disclosed vulnerability in ASP.NET that affects all versions of .NET Framework. "To understand how this vulnerability works, you need to know about cryptographic oracles. An oracle in the context of cryptography is a system which provides hints as you ask it questions. In this case, there's a […]

Microsoft released Security Advisory 2416728 describing a publicly disclosed vulnerability in ASP.NET that affects all versions of .NET Framework. "To understand how this vulnerability works, you need to know about cryptographic oracles. An oracle in the context of cryptography is a system which provides hints as you ask it questions. In this case, there's a vulnerability in ASP.Net which acts as a padding oracle. This allows an attacker to send chosen cipher text to server and learn if it was decrypted properly by examining which error code was returned by the server.

By making many requests the attacker can learn enough to successfully decrypt the rest of the cipher text. The attacker can then alter the plain text and re-encrypt it as well," explains Microsoft. The workaround for this vulnerability is to use the customErrors feature of ASP.NET to configure apps to return the same error page regardless of the error encountered on the server.

More Info: Understanding the ASP.NET Vulnerability

[Source]