POET vs ASP.NET: DotNetNuke
In this video we show how to use POET to attack the latest version of ASP.NET. The target application is DotNetNuke. The attack consists of two phases: 1. In the first phase, we use POET to extract DotNetNuke’s secret keys, and use those keys to generate a cookie to login as a super user. The same technique can be used to attack _every_ ASP.NET application. 2. In the second phase, we use Cesar Cerrudo’s Token Kidnapping attack to gain SYSTEM privilege on the Windows server hosting DotNetNuke. This research was done by Thai Duong and Juliano Rizzo. More information can be found at netifera.com
No related posts.
Loading ...
Was this machine running at ASP.NET “Full Trust”?
:8…
@cryptbe: So you’re saying CustomErrors=Remote and setting those error pages doesn’t prevent this when you say the setting is “irrelevant”?
Please, I’d love to see you hack an authentication cookie with customerrors=on. Once you get a standard 500 error, how will you tell whether your request failed during decryption or MAC validation?
By the way, no-one in their right mind sets customerrors=off on a public web server. That’s a very basic ASP.NET concept.
se vende 0 day !!
Well done man….
I’m working on this right now
I got questions though.. first off the poet tool used here is in PYTHON as opposed to the java one on your site…. will you release this one as well?
What controls do you recommend? its kinda hard to answer without knowing the context but aside from using libraries tat don’t follow the incorrect PKC-5 implementation?
Padbuster is also good
Very misleading. Unless you provide a proof a that this can be done with CustomErrors ON, the whole issue is irrelevant.
poet crashes often….
its also inconsistent i.e. the same link can return no forms even though it has previously recognized the forms.
Where I can find POET tool? I’d like try it myself
What is the song?
@sharok89 Hey There Delilah by Plain White T’s
@yaonya thanks
Given the inappropriate disclosure of the vulnerability it’s probably not advisable to share this type of content until the vendor has had an opportunity to respond appropriately. Ethical debate of the content aside the video also violates copyright with the music being used in the background.
Wow… pwned from a Mac to boot.
Downvoted for douchey music.
Is it true that you guys threw usb keys out into the audience containing this, before giving MS a chance to respond?
The internet.. as a whole… hates you.
Thai, what did you do to the server? The song sounds very sad.
I don’t understood a meaning of generating random asp.net keys. Could someone explain to me? He didn’t use them or i miss something?
Nice, is poet.py available for download anywhere?
@cryptbe Does that mean that the security advice Microsoft are giving out is therefore wrong? If so, how do we go about securing websites based on ASP.NET from this type of attack?
Scary. Easy to thwart. You need to turn customErrors ON and set a defaultRedirect to a standard error page.
You can read about it at ScottGu’s Blog.
That’s very cool….
Tried this with the JAVA version and it crashes once it has detected the key in the form. Is the python version available?
Will your tool work with customErrors set to RemoteOnly? According to a recent Technet Blog post, setting customErrors to RemoteOnly will plug the security hole.