MS10-070: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) (uncredentialed check) - Nessus

Medium   Plugin ID: 49806

This page contains detailed information about the MS10-070: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) (uncredentialed check) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 49806
Name: MS10-070: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) (uncredentialed check)
Filename: padding_oracle_ms10-070.nasl
Vulnerability Published: 2010-09-17
This Plugin Published: 2010-10-08
Last Modification Time: 2022-04-11
Plugin Version: 1.21
Plugin Type: remote
Plugin Family: Windows
Dependencies: http_version.nasl, webmirror.nasl

Vulnerability Information

Severity: Medium
Vulnerability Published: 2010-09-17
Patch Published: 2010-09-28
CVE [?]: CVE-2010-3332
CPE [?]: cpe:/a:microsoft:.net_framework

Synopsis

The version of the .NET framework installed on the remote host has an information disclosure vulnerability.

Description

There is an information disclosure vulnerability in ASP.NET, part of the .NET framework. Information can be leaked due to improper error handling during encryption padding.

A remote attacker could exploit this to decrypt and modify an ASP.NET application's server-encrypted data. In .NET Framework 3.5 SP1 and above, an attacker could exploit this to download any file within the ASP.NET application, including web.config.

Solution

Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2.

Public Exploits

Target Network Port(s): 80
Target Asset(s): Services/www
Exploit Available: True (GitHub)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the MS10-070: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) (uncredentialed check) vulnerability:

  1. GitHub: https://github.com/bongbongco/MS10-070
    [CVE-2010-3332: CVE-2010-3332 Oracle Padding Vulnerability in Microsoft ASP.NET]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C
CVSS Base Score:5.0 (Medium)
Impact Subscore:2.9
Exploitability Subscore:10.0
CVSS Temporal Score:3.9 (Low)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:3.9 (Low)

Go back to menu.

Plugin Source

This is the padding_oracle_ms10-070.nasl nessus plugin source code. This script is Copyright (C) 2010-2022 Tenable Network Security, Inc. 

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(49806);
  script_version("1.21");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2010-3332");
  script_bugtraq_id(43316);
  script_xref(name:"MSFT", value:"MS10-070");
  script_xref(name:"MSKB", value:"2416447");
  script_xref(name:"MSKB", value:"2416451");
  script_xref(name:"MSKB", value:"2416468");
  script_xref(name:"MSKB", value:"2416469");
  script_xref(name:"MSKB", value:"2416470");
  script_xref(name:"MSKB", value:"2416471");
  script_xref(name:"MSKB", value:"2416472");
  script_xref(name:"MSKB", value:"2416473");
  script_xref(name:"MSKB", value:"2416474");
  script_xref(name:"MSKB", value:"2418240");
  script_xref(name:"MSKB", value:"2418241");

  script_name(english:"MS10-070: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) (uncredentialed check)");

  script_set_attribute(attribute:"synopsis", value:
"The version of the .NET framework installed on the remote host has an
information disclosure vulnerability.");
  script_set_attribute(attribute:"description", value:
"There is an information disclosure vulnerability in ASP.NET, part of
the .NET framework.  Information can be leaked due to improper error
handling during encryption padding.

A remote attacker could exploit this to decrypt and modify an ASP.NET
application's server-encrypted data.  In .NET Framework 3.5 SP1 and
above, an attacker could exploit this to download any file within the
ASP.NET application, including web.config.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-070");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows XP, 2003, Vista,
2008, 7, and 2008 R2.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/09/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/09/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/08");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:.net_framework");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2010-2022 Tenable Network Security, Inc.");

  script_dependencies("webmirror.nasl", "http_version.nasl");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

function base64url_decode(str)
{
  local_var cstr,padlen;

  # strip last char
  cstr = substr(str, 0, strlen(str) - 2);

  # num of '=' to pad
  padlen = str[strlen(str) -1];

  cstr = str_replace(string:cstr, find:"-",replace:"+");
  cstr = str_replace(string:cstr, find:"_",replace:"/");
  cstr += crap(data:"=",length:padlen);

  return base64_decode(str:cstr);
}

function base64url_encode(str)
{
  local_var cstr, idx, padchars;

  cstr = base64(str:str);

  # look for '='
  idx = stridx(cstr,"=");

  if(idx != -1)
  {
    padchars  = substr(cstr, idx, strlen(cstr) -1);

    cstr      = substr(cstr, 0, idx -1);
    cstr      += strlen(padchars);
  }
  else # no padding
    cstr += "0";

  cstr = str_replace(string:cstr, find:"+",replace:"-");
  cstr = str_replace(string:cstr, find:"/",replace:"_");

  return cstr;
}

#
# parse link like url?arg1=value1&arg2=value2...
#
# ret['url']    = url part
# ret['args']   = array of 'arg' associative arrays
#
function parse_link(link)
{
  local_var ret, arg_pair_l, arg_pair, array, arg, match;

  match = eregmatch(string:link,pattern:"^(.+)\?(.+)$");

  # link with no arguments
  if(! match)
  {
    ret['url'] = link;
    return ret;
  }

  ret['url'] = match[1];
  arg_pair_l = split(match[2],sep:"&", keep:FALSE);

  foreach arg_pair(arg_pair_l)
  {
    array = split(arg_pair,sep:"=",keep:FALSE);
    arg[array[0]]  = array[1];
  }

  ret['args'] = arg;

  return ret;
}

# Perform the axd check with the given d and t arguments
function check_axd_go(port, path, d, t)
{
  local_var req, res, axd, fixed, original, final_url, links, array, item;

  # Make sure we have all the arguments we need
  if(isnull(path) || isnull(d) || isnull(t))
    return NULL;

  #decode
  original = base64url_decode(str:d);

  #change the last byte
  fixed = original;
  fixed[strlen(fixed)-1] = raw_string(ord(fixed[strlen(fixed) - 1]) -1);

  #re-encode
  fixed = base64url_encode(str:fixed);

  #build the final url to request
  final_url = "/" + path + '?d=' + fixed + '&t=' + t;

  #Resend the request with the changed padding
  req = http_mk_get_req(port:port, item: final_url, version: 11);
  res = http_send_recv_req(port:port, req:req, fetch404:TRUE, exit_on_fail:TRUE);

  # See if the page contained a padding error
  if("adding is invalid" >< res[2])
  {
    return path + " returned a padding error.";
  }
  else if(("CryptographicException" >< res[2]) || ("Bad Data" >< res[2]))
  {
    return path + " returned a runtime error.";
  }
  else if("404" >< res[0])
  {
    exit(0, "The web server on port " + port + " returned a 404 error on " + path + " with invalid padding.");
  }
  else if("302" >< res[0])
  {
    exit(0, "The web server on port " + port + " returned a HTTP Redirect on " + path + " with invalid padding, which may indicate mitigation is in place.");
  }
  else
  {
    return NULL;
  }
}

function check_axd(port, path)
{
  local_var req, res, axd, fixed, original, final_url, links, array, item;
  local_var link, result;
  local_var args;
  req = http_mk_get_req(port:port, item:path, version: 11);
  res = http_send_recv_req(port:port, req:req, exit_on_fail:TRUE, fetch404:TRUE);

  links = egrep(pattern:'\\.axd', string:res[2]);

  if(!links)
    return NULL;

  array = split(links, sep:'\n');

  foreach item(array)
  {
    item = chomp(item);

    axd = eregmatch(pattern:'[\'"]([^"\']+\\.axd[^\'"]*)["\']', string:item);

    if(!isnull(axd))
    {
      if("http" >!< axd[0])
      {
        link = parse_link(link:axd[1]);
 	args = link['args'];
        result = check_axd_go(port:port, path:link['url'], d:args['d'], t:args['t']);

        if(!isnull(result))
        {
          return result;
        }
      }
    }
  }
}

function check_viewstate_go(port, path, viewstate, event_validation)
{
  local_var viewstate_bin, fixed, postdata, res;

  # make sure we have all the arguments we need
  if(isnull(path) || isnull(viewstate) || isnull(event_validation))
    return NULL;

  # Decode
  viewstate_bin = base64_decode(str: viewstate);

  # Modify the last character in the string to induce a padding error
  fixed = viewstate_bin;
  fixed[strlen(fixed)-1] = raw_string(ord(fixed[strlen(fixed) - 1]) -1);

  # Re-encode
  fixed = base64(str:fixed);

  # URL-encode the strings (we only have to worry about three symbols)
  fixed = str_replace(string:fixed, find:"+",replace:"%2b");
  fixed = str_replace(string:fixed, find:"/",replace:"%2f");
  fixed = str_replace(string:fixed, find:"=",replace:"%3d");
  event_validation = str_replace(string:event_validation, find:"+",replace:"%2b");
  event_validation = str_replace(string:event_validation, find:"/",replace:"%2f");
  event_validation = str_replace(string:event_validation, find:"=",replace:"%3d");

  postdata = "__VIEWSTATE=" + fixed + "&" + "__EVENTVALIDATION=" + event_validation + "&__VIEWSTATEENCRYPTED=''";

  res = http_send_recv3(method: "POST", item: "/", port: port, content_type: "application/x-www-form-urlencoded", data: postdata, exit_on_fail:TRUE, fetch404:TRUE);

  if("adding is invalid" >< res[2])
  {
    return "Viewstate at " + path + " returned a padding error.";
  }
  else if("rypto" >< res[2] && 'xception' >< res[2])
  {
    return "Viewstate at " + path + " returned a cryptographic exception.";
  }
  else
  {
    return NULL;
  }

}

function mk_list()
{
  if (isnull(_FCT_ANON_ARGS[0]))	return make_list();
  else					return make_list(_FCT_ANON_ARGS[0]);
}

function check_viewstate(port, path)
{
  local_var req, res, viewstate, event_validation;

  req = http_mk_get_req(port:port, item:path, version: 11);
  res = http_send_recv_req(port:port, req:req, exit_on_fail:TRUE, fetch404:TRUE);

  if("__VIEWSTATE" >!< res[2])
  {
    return NULL;
  }

  if("__VIEWSTATEENCRYPTED" >!< res[2])
  {
    return NULL;
  }

  viewstate = eregmatch(pattern:'<[^>]+hidden[^>]+name=["\']__VIEWSTATE[^>]+value=["\']([^"\']+)["\']', string:res[2]);
  event_validation = eregmatch(pattern:'<[^>]+hidden[^>]+name=["\']__EVENTVALIDATION[^>]+value=["\']([^"\']+)["\']', string:res[2]);

  if(isnull(viewstate) || isnull(event_validation))
  {
    return NULL;
  }

  return check_viewstate_go(port:port, path:path, viewstate:viewstate[1], event_validation:event_validation[1]);
}

var port, axd_files, viewstate_files;
var axd_count, viewstate_count;


port = get_http_port(default:80);

# Get a list of .axd files from the webspider script. If CGI scanning is off,
# this will be less effective.
axd_files = get_kb_list("www/" + port + "/content/extensions/axd");

if(isnull(axd_files))
{
  var result;
  # If we don't have the webmirror extension, check the root folder
  result = check_axd(port:port, path:'/');

  if(!isnull(result))
  {
    security_warning(port:port, extra:'\n' + result + '\n');
    exit(0);
  }
}
else
{
  axd_files = make_list(axd_files);
  axd_count = 0;

  foreach axd(axd_files)
  {
    var d_list, t_list;
    d_list = get_kb_list("www/" + port + "/cgi-params" + axd + "/d");
    t_list = get_kb_list("www/" + port + "/cgi-params" + axd + "/t");

    if(!isnull(d_list) && !isnull(t_list))
    {
      var max, i;

      d_list = make_list(d_list);
      t_list = make_list(t_list);

      max = max_index(d_list);

      for(i = 0; i < max; i++)
      {
        var d, t;
        d = d_list[i];
        t = t_list[i];
        if(isnull(t))
          t = '';

        result = check_axd_go(port:port, path:axd, d:d, t:t);
        if(!isnull(result))
        {
          security_warning(port:port, extra:'\n' + result + '\n');
          exit(0);
        }
      }

      # Limit the number of files we check
      if(axd_count > 4)
        break;
      axd_count++;
    }
  }
}

# Get a list of all .cgis. If CGI scanning is turned off, again, this will be more complicated
viewstate_files = get_kb_list('www/' + port + '/cgi');
if(isnull(viewstate_files))
{
  # Check the root path only
  var result;
  result = check_viewstate(port:port, path:'/');
  if(!isnull(result))
  {
    security_warning(port:port, extra:'\n' + result + '\n');
    exit(0);
  }
}
else
{
  viewstate_files = make_list(viewstate_files);
  viewstate_count = 0;

  # Search our viewstate files for one with __VIEWSTATEENCRYPTED
  foreach file(viewstate_files)
  {
    var viewstateencrypted;

    viewstate_encrypted = get_kb_list("www/" + port + "/cgi-params" + file + "/__VIEWSTATEENCRYPTED");

    if(!isnull(viewstate_encrypted))
    {
      var viewstate, event_validation, result;

      lVS = mk_list(get_kb_list("www/" + port + "/cgi-params" + file + "/__VIEWSTATE"));
      foreach viewstate (lVS)
      {
        lEV = mk_list(get_kb_list("www/" + port + "/cgi-params" + file + "/__EVENTVALIDATION"));
	foreach event_validation (lEV)
	{
	  result = check_viewstate_go(port:port, path:file, viewstate:viewstate, event_validation:event_validation);

	  if(!isnull(result))
	  {
	    security_warning(port:port, extra:'\n' + result + '\n');
	    exit(0);
	  }
        }
      }
    }

    # Limit the number of files we check
    if(viewstate_count > 4)
      break;
    viewstate_count++;
  }

}

exit(0, "The web server on port " + port + " didn't have a vulnerable .axd file or encrypted viewstate that could be found.");

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/padding_oracle_ms10-070.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\padding_oracle_ms10-070.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/padding_oracle_ms10-070.nasl

Go back to menu.

How to Run

Here is how to run the MS10-070: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) (uncredentialed check) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Windows plugin family.
  6. On the right side table select MS10-070: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) (uncredentialed check) plugin ID 49806.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl padding_oracle_ms10-070.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a padding_oracle_ms10-070.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - padding_oracle_ms10-070.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state padding_oracle_ms10-070.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: MSKB | Microsoft Knowledge Base: MSFT | Microsoft Security Bulletin:
  • MS10-070
See also: Similar and related Nessus plugins:
  • 59651 - GLSA-201206-13 : Mono: Multiple vulnerabilities
  • 50413 - CGI Generic Padding Oracle
  • 49695 - MS10-070: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)
  • 53528 - SuSE 11.1 Security Update : Mono (SAT Patch Number 4260)
  • 58408 - SuSE 10 Security Update : Mono (ZYPP Patch Number 8001)
  • 47556 - MS10-012: Vulnerabilities in SMB Could Allow Remote Code Execution (971468) (uncredentialed check)
  • 46017 - MS10-025: Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858) (uncredentialed check)
  • 48405 - MS10-054: Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214) (remote check)
  • 49286 - MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) (EMERALDTHREAD) (uncredentialed check)
  • 105084 - Check Point Gaia Operating System SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (sk103683) (POODLE)
  • 78750 - SSLv3 Padding Oracle On Downgraded Legacy Encryption in Cisco ASA Software (cisco-sa-20141015-poodle) (POODLE)
  • 121472 - Citrix NetScaler Gateway TLS Padding Oracle Vulnerability (CTX240139)
  • 11197 - Multiple Ethernet Driver Frame Padding Information Disclosure (Etherleak)
  • 122359 - FreeBSD : OpenSSL -- Padding oracle vulnerability (7700061f-34f7-11e9-b95c-b499baebfeaf)
  • 79719 - HP SiteScope SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)
  • 90512 - IBM Domino SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)
  • 138903 - MySQL Enterprise Monitor 4.x < 4.0.9 / 8.x < 8.0.16 Padding Oracle (Apr 2019 CPU)
  • 91572 - OpenSSL AES-NI Padding Oracle MitM Information Disclosure
  • 86995 - SolarWinds DameWare Mini Remote Control < 12.0 Hotfix 2 SSLv3 Padding Oracle On Downgraded Legacy Encryption (POODLE)
  • 78479 - SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)
  • 60016 - Vulnerability in TLS Could Allow Information Disclosure (2655992) (uncredentialed check)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file padding_oracle_ms10-070.nasl version 1.21. For more plugins, visit the Nessus Plugin Library.

Go back to menu.