<<< Date Index >>>     <<< Thread Index >>>

ASP.NET __VIEWSTATE crypto validation prone to replay attacks



Good morning,

ASP.NET's extremely popular __VIEWSTATE functionality provides an automatic, 
uniform method for storing current state of all webpage "controls" (including 
form fields, database views, etc), so that user-entered data automagically 
persists and is populated across newly rendered HTML, and so that current 
selections of displayed database records are cached and do not need to be 
looked up again after every operation.

The data is by *typically* stored on client side as base64-encoded, hidden 
POST form field. By default, the field is protected from tampering by being
"signed" using SHA1 with machine-specific key and - although not discussed by
Microsoft - presumably either target .aspx filename or other file ID parameter. 

Because information from controls such as DataGrid is by default "cached" in 
__VIEWSTATE, enabling the user to tamper with this data would allow for 
modifying item ID and price data in ASP.NET online shops, for example. This 
possibility is discussed by Microsoft and others, with the conclusion that 
SHA1/MD5 signing prevents it, and hence it is safe to rely on __VIEWSTATE 
cached data in that regard:

  http://msdn.microsoft.com/library/en-us/dnaspp/html/viewstate.asp

Storing and then trusting database fields retrieved from user, even with
SHA1 validation, may send shivers down any infosec guy's or gal's spine, 
but that's the way it'd seem to be done:

  "DataGrid stores its contents in the view state so the page developer
  doesn't need to rebind the database data to the DataGrid on each and
  every page load, but only on the first one. The benefit is that the
  database doesn't need to be accessed as often. "

Lacking proper documentation of __VIEWSTATE validation, and based 
on my limited testing, I see two major problems with how the mechanism 
is designed:

  1) Injection-through-replay scenarios are still available.

     "Signed" __VIEWSTATE is replayable for the system or cluster that
     generated it, for that specific .aspx script:

     a) The attacker may submit __VIEWSTATE acquired from one view, to a
        wholly different view with a reasonably compatible layout of cached
        controls.
 
        For example, if a provider of online shopping solutions hosts two
        distinct shops on a shared scripting platform - one shop with pet 
        supplies, and one with expensive watches - and both (within their 
        distinct databases or tables) happen to have item ID 123 - one for 
        $19.99 (Acme brand cat food), another for $1999.00 (Rolex), the 
        attacker may move __VIEWSTATE from buystuff.aspx?shop=catfood to 
        buystuff.aspx?shop=watches, and place an order item ID 123 for 
        $19.99.

     b) Since there appears to be no expiration mechanism, user may keep
        __VIEWSTATE data and reuse it after availability, pricing, or other
        parameters of items or settings has changed, or ability to access
        certain information has been restricted, effectively obtaining
        a "backdoor" of sorts.

     c) The attacker may obtain __VIEWSTATE after entering dangerous or
        offensive contents or view settings within his session (some of which 
        may be not immediately visible), then redirect third parties through
        a webpage with a specific __VIEWSTATE parameter to expose them to that 
        contents, or to impose these settings upon that viewer.
 
  2) When NOT signed, resource starvation due to __VIEWSTATE complexity is  
     possible.

     The format of the base64-encoded data is often summarised as "compressed 
     XML"; __VIEWSTATE uses a simplistic, hierarchical markup scheme: first 
     letter decides record type (triplet, pair, one of primitive types such
     as strings or integers); values for that record are enclosed in <...>
     that immediately follows that letter; fields of a record are separated by 
     ';'; records can be nested with no limits.

     The problem: __VIEWSTATE is sometimes used with no integrity protection
     for valid reasons. If only user input fields are going to be cached, 
     there is no immediate problem with effects of __VIEWSTATE tampering 
     (with the possible exception of 1c), and performance benefits of avoiding 
     SHA1 are noticable.

     Unfortunately, because of its hierarchical structure, and parsing based
     on recursive function calls, it is trivial to consume excessive amounts
     of resources by constructing a very deeply nested structure. Consider
     this unix shell example:

     perl -e '{print "t<" x 8000, ";;>" x 8000}' | \
       mimencode | awk '{printf "%s", $0}'
  
     Inserting the output of that sequence in place of __VIEWSTATE form field 
     value in a page then submitted to a webserver that has SHA1 integrity 
     checking disabled will consume excessive resources on the target machine
     (in some cases, omitting the closing ";;>" sequence offers even better
     effort-gain DoS ratio).

Possible mitigation method for problem #1: include secure session ID within 
__VIEWSTATE data, correlate with existing session control data, or validate 
and expire appropriately; or sacrifice storage and keep this data on server.

Mitigation method for problem #2: sacrifice CPU cycles to always validate
data; or store on server.

Cheers,
Michal Zalewski
SotW plug: http://lcamtuf.coredump.cx/silence/