甲骨文填充漏洞 - 它是如何下载的web.config? [英] Oracle padding exploit - how does it download the web.config?
问题描述
我知道已经有有关Oracle填充上这么几个问题攻击,但他们没有解释它是如何下载的web.config。我跑了几个我已经使用微软建议的缓解因素已经测试过的ASP .NET应用程序,但我仍然很害怕,人们将能够得到web.config中。
有人能解释他们是如何做到这一点,甚至提供了一个链接到一个工具,我可以用它来测试我的网站。我发现,攻击这部分的官方解释是真正缺乏的。
这是在表明攻击
公众依赖于ASP.NET功能
允许文件(通常
JavaScript和CSS)要下载,
和其固定用的键
被发送作为请求的一部分。
不幸的是,如果你能伪造
一键就可以使用此功能
下载的web.config文件
应用程序(而不是文件之外
该应用程序)。解决方案家伙 - 答案是,一旦他们获得了的machineKey,他们可以使用该密钥来获取使用ASP.NET中的另一特征文件
在ASP.NET 3.5 Service Pack 1和ASP.NET 4.0有用于从应用程序服务的文件。该功能通常是由计算机密钥的保护。但是,如果机器密钥泄露再一个特征此功能被攻破这直接进入ASP.NET,而不是IIS以便IIS的安全性设置不适用一旦这个功能被破坏那么攻击者就可以从应用程序下载文件 - 。包括web.config文件中,通常含有密码
之前ASP.NET 3.5 SP1的ASP.NET版本不具备此功能,但仍容易受到主机密钥攻击。
(看到帖子在这里的底部: http://forums.asp.net/ T /从asp.net团队1603799.aspx )
I know there are already a few questions on SO about the oracle padding exploit but none of them explain how it downloads the web.config. I run a couple of ASP .NET apps which I have already tested using Microsoft recommended mitigation factors but i'm still scared that people will be able to get the web.config.
Can someone please explain how they do this or even provide a link to a tool that I can use to test my site with. I find that the official explanation of this part of the attack is really lacking.
The attack that was shown in the public relies on a feature in ASP.NET that allows files (typically javascript and css) to be downloaded, and which is secured with a key that is sent as part of the request. Unfortunately if you are able to forge a key you can use this feature to download the web.config file of an application (but not files outside of the application).
解决方案Guys - the answer is that once they have obtained the machineKey, they can use that key to fetch the files using another feature in ASP.NET
"In ASP.NET 3.5 Service Pack 1 and ASP.NET 4.0 there is a feature that is used to serve files from the application. This feature is normally protected by the machine key. However, if the machine key is compromised then this feature is compromised. This goes directly to ASP.NET and not IIS so IIS's security settings do not apply. Once this feature is compromised then the attacker can download files from your application - including web.config file, which often contains passwords.
Versions of ASP.NET prior to ASP.NET 3.5 SP1 do not have this feature, but are still vulnerable to the main machine key attack."
(see the post at the bottom of here: http://forums.asp.net/t/1603799.aspx from the asp.net team)
这篇关于甲骨文填充漏洞 - 它是如何下载的web.config?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
