Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks

To: Michal Zalewski <lcamtuf@xxxxxxxxx>
Subject: Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks
From: Anton Ivanov <arivanov@xxxxxxxxxx>
Date: Thu, 12 May 2005 09:23:52 +0100
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <1e89feb305050514177dcf0e27@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <000001c551a4$ab55a3d0$86c8a8c0@xxxxxxxxxxxxxxxxxx> <1e89feb305050513002386241b@xxxxxxxxxxxxxx> <1e89feb30505051306458c1e4@xxxxxxxxxxxxxx> <1e89feb305050514177dcf0e27@xxxxxxxxxxxxxx>
User-agent: Debian Thunderbird 1.0 (X11/20050116)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One more example.

http://www.theregister.co.uk/2005/05/11/ms_gatekeeper_test_fiasco/

It looks like someone already used this to rig his scores in the
Microsoft Security Professional competition.

ROFL.

A.

Michal Zalewski wrote:

| I would also like to point all concerned to an excellent post about
|  replay attacks on __VIEWSTATE; the post is by Scott Mitchell, the
| guy who authored the MSDN article I initially referred to [1]:
|
| http://scottonwriting.net/sowblog/posts/3747.aspx
|
| His article is aimed at developers; Scott explains the issue I
| reported in a way that makes it perhaps more clear why putting user
|  ID, session ID, or other similar data in __VIEWSTATE is not a
| remedy by itself, and why reposting __VIEWSTATE is dangerous
| despite target script location checks.
|
| [1]
| http://msdn.microsoft.com/library/en-us/dnaspp/html/viewstate.asp
|
| Cheers, /mz
|


- --
La Châtelier's Law:

~          If some stress is brought to bear on a system in equilibrium,
the equilibrium is displaced in the direction which tends to undo the
effect of the stress.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCgxKX/NpXLt3l5xURAoCRAKCST0nfsIav2YahTueJdgyl1sjfIQCgwRhm
L/0uD824ZveBMYbo9yi1ErI=
=0rM6
-----END PGP SIGNATURE-----

References:
- Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks
  - From: Michal Zalewski
- Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks
  - From: Michal Zalewski

Prev by Date: Security Advisory for Bugzilla 2.18, 2.19.2, and 2.16.8
Next by Date: Re: Commonly used disk imaging and wiping tools can be tricked to miss parts of a disk
Previous by thread: Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks
Next by thread: [SECURITY] [DSA 720-1] New smartlist packages fix unauthorised un/subscription
Index(es):
- Date
- Thread