Security Issue in ASP.NET Forms Authentication

By Peter Bromberg

Security researchers have discovered a bug in the default encryption mechanism used to protect the cookies that are used to implement Forms Authentication in ASP.NET

According to Peter Vogel at Visual Studio Magazine, security researchers have discovered a bug in the default encryption mechanism used to protect the cookies that are used to implement Forms Authentication in ASP.NET. Using their tool, they can repeatedly modify an ASP.NET Forms Authentication cookie encrypted using AES and, by examining the errors, determine the Machine Key used to encrypt the cookie. The process is claimed to be 100 percent reliable and takes between 30 and 50 minutes for any site.

Once they have the Machine Key, attackers can create bogus forms authentication cookies. If you embed role information in the forms cookie, then attackers could arbitrarily assign themselves to administrator roles. This also affects other membership provider features, spoofing protection on the ViewState, and encrypted information that might be stored in cookies or otherwise be made available at the client.

Unfortunately, the fix is not  simple because the technique can be used on any block - type cipher - including 3DES.

The relevant Microsoft Security Advisory is here. You can protect your web.config file from being exploited. Here is the fix:

Create or modify the <customErrors> section of the web.config file to have the below settings. Note the use of redirectMode=”ResponseRewrite” with .NET 3.5 SP1 and .NET 4.0:

<configuration>

<system.web>

<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />

</system.web>

</configuration>

The error.aspx page codebehind:

<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>

<script runat="server">
void Page_Load() {
byte[] delay = new byte[1];
RandomNumberGenerator prng = new RNGCryptoServiceProvider();

prng.GetBytes(delay);
Thread.Sleep((int)delay[0]);

IDisposable disposable = prng as IDisposable;
if (disposable != null) { disposable.Dispose(); }
}
</script>

<html>
<head runat="server">
<title>Error</title>
</head>
<body>
<div>
An error occurred while processing your request.
</div>
</body>
</html>

This is serious stuff. Better safe than sorry! A patch is coming for this, but in the meantime it's a good idea to implement the above fix. You can read more about the issue at Scott Guthrie's blog here


Security Issue in ASP.NET Forms Authentication  (921 Views)