Thursday, September 30, 2010

Microsoft .NET vulnerability and Defense In Depth

A lot of people have spoken about the Microsoft vulnerability, but I´ve missed one thing in all of this...

First, I have to recognize that Microsoft designed very well this technology, and the proof is that, on my experience, a server developed on .NET is harder to exploit that Java/PHP. A default component (think on an ASP.NET ComboBox or DropDownList) includes enough validations against modifications that push us to try harder, focusing on the design errors or in the components that were developed from scratch (think about that beautiful upload feature ;p).

So, we have a cool technology (.NET) with a lovely design that is protected with sound cryptography. However, as the crypto seems to be "unbreakable", we feel brave enough to:
  • Put the configuration file (Web.config) on the root of the published web folder.
  • Have a nice script (WebResource.axd / ScriptResource.axd) able to deliver any (afaik) file on the web root.
The problem is that, eventually, the enemies will find a weakness on the only defense of our castle (cryptography), and all we know how the story ends... another good tale for Defense In Depth.

Finally a patch was released, but previously to these days, I read all the mitigations that were published by Microsoft and I missed one...

Ok, on the Web.config we have plenty of critical information (database credentials, encryption keys,...). So, why we don´t recommend to encrypt this information? Maybe I'm missing something, but with this remediation, the client will be able to sleep better using Defense In Depth (Protected Storage).

Monday, September 27, 2010

CTF´s hangover

I´ve spent the last 2 weekends on two great CTFs:

  • RootedCON'2010 CTF: I love the challenges focused on web stuff. The good thing about this CTF is that it keeps pushing you until you try harder and find a solution. Finally i finished it on the top ten with some crazy approachs :). Thanks to roman_soft and dreyer for doing this challenge. If you missed it, be quickly, as it´ll be open some more weeks.
  • CSAW CTF: Typical CTF like Defcon prequals, nice challenges, but I wanted to see the solution of some "impossible" challenges (xss3, web300 and the bonus_crypto).
I´ll put some writeups of the CSAW challenge soon. The RootedCON writeup will wait until the contest is over, as I don't want to ruin people "fun" xD.