[Mono-dev] Mono and ASP.NET Security Vulnerability

dan witt dan.witt at gmail.com
Fri Oct 1 17:46:06 EDT 2010 

Based on code inspection it looks to me like Mono is partially vulnerable.

There are/were two basic problems with the MS implementation:

1) when an incorrect string is passed in the 'd' paramater to
WebResource.axd, which is processed by
System.Web.Handlers.WebResourceHandler.ProcessRequest, the exception that is
thrown depends on whether the padding in the decrypted string is correct or
not.  This is the padding oracle that lets an attacker encrypt (or decrypt)
arbitrary strings with the key used by the oracle.

Mono's implementation appears to also have this problem in
both WebResourceHandler and ScriptResourceHandler.

The fix for this is to include a MAC as part of the request string.


2) given an encrypted string representing a file ScriptResource.axd, which
is processed by System.Web.Handlers.ScriptResourceHandler.ProcessRequest,
allows for the download of arbitrary files from within the applications
Virtual Path.

Mono's implementation doesn't appear to allow for anything other than
embedded resources to be downloaded through this path and so isn't
vulnerable.

Dan Witt

On Fri, Oct 1, 2010 at 2:07 PM, Sebastien Pouliot <
sebastien.pouliot at gmail.com> wrote:

> My previous answer still stand. Watch the following link for updates:
> http://www.mono-project.com/Vulnerabilities
>
> On Fri, 2010-10-01 at 12:52 +0200, Tomi wrote:
> > Any update on this issue? The MS patch is already out. Some background
> > information:
> >
> http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx
> >
> http://weblogs.asp.net/scottgu/archive/2010/09/30/asp-net-security-fix-now-on-windows-update.aspx
> >
> > On 19 September 2010 11:47, Tomi <bosak.tomas at gmail.com> wrote:
> > > Hi folks,
> > >
> > > is mono also affected by this security vulnerability? (ScottGu: "This
> > > vulnerability is in our ASP.NET implementation (and will be fixed in a
> > > patch).  I'm not sure if Mono has the same bug.")
> > >
> > >
> http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
> > >
> > _______________________________________________
> > Mono-devel-list mailing list
> > Mono-devel-list at lists.ximian.com
> > http://lists.ximian.com/mailman/listinfo/mono-devel-list
>
>
> _______________________________________________
> Mono-devel-list mailing list
> Mono-devel-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-devel-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ximian.com/pipermail/mono-devel-list/attachments/20101001/bd09d81a/attachment.html

More information about the Mono-devel-list mailing list