The list of affected software is extremely long – it is all versions of ASP.NET, Microsoft’s web serving technology. Once exploited, it essentially allows a malicious users to download internal files from the ASP.NET Application such as the web.config file, which often contains sensitive data used throughout the Application. It also allows for the decryption of ViewState variables. These are used by ASP.NET to allow the server to maintain state across several HTTP requests, and represented an encrypted form of data used by the Application.
But enough about what problems this can cause – how does this actually work? The attack is known as a Padding Oracle Attack (that’s Oracle as in a component that determines whether or not a test has passed, not any of the other various related definitions). Encryption algorithms require a whole number of blocks to encrypt and decrypt the input successfully. Because you will want to encrypt values of varying size, you must consistently pad the end of the inputs for the encryption to work. One of the common ways of doing this is to pad the end of the string with N bytes to fill up the last block, each byte having a value of N. So if you had to pad 5 additional bytes to reach the end of the block, each of those padding bytes would have the value 5. If your input data matches up to the end of a block exactly, you pad another entire block on the end, so all inputs are padded. The important part here is that if the padding is somehow invalid, an exception is thrown – it is this that allows the attacker to exploit the algorithm. The first eight bytes of the input to an encryption is what’s called the Initialization Vector (IV). By continuously changing the IV, calling the website, and examining the error returned, it is possible for the attacker to work out what the IV is based on whether or not the request returns an error for the amount of padding in the input. The IV can then be used to decrypt the remaining text or encrypt a new string. With this encryption power, the attacker may be able to sign themselves in as an administrator on a website, for example.
The Microsoft Security Advisory (2416728) is available here; there are numerous resources to help developers harden their code against this kind of attack. Scott Guthrie covers an outline of the attack and how to change your error pages to defend against it; Steve Smith has written a script to help identify files which may be at risk. If you’re interested on more about how the attack works, Brian Holyfield posted a detailed article on how Padding Oracle Attacks work, and a video of the conference demo of the attack is on YouTube.