Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Sep 28, 2010

ASP.NET padding oracle, check your logs!

Microsoft has now released a patch for the padding oracle attack, but most system owners will still need some time to test the new patch before going live with it. Until the patch is applied we need to keep an eye on our logs in order to detect potential attacks.

In ScottGu's FAQ post he informs that an attack attempt would generate a large amount of entries in the application event log. In the subsequent update he presents a revised workaround to block requests with an aspxerrorpath parameter. To detect attacks involving this parameter, we also need to look at the IIS logs.

Fortunately, Microsoft offers the LogParser tool — the swiss army knife for parsing large amounts of data from IIS logs, event logs, or even the registry or AD (!). Check it out!

I'll give some examples here on how LogParser can be helpful in detecting whether someone has been talking to the oracle in your ASP.NET enabled webserver. Note that LogParser is a command line utility and will open in a command prompt. Note also that some of the logparser commands included below have been broken over several lines to increase readability. If you experience problems, try running the command on ONE line in your command prompt.

Check the event log
In ScottGu's FAQ post on the vulnerability he informs that an attack attempt would generate a large amount of entries in the application event log:

Event code: 3005 
Event message: An unhandled exception has occurred. 
Event time: 11/11/1111 11:11:11 AM 
Application information: 
    Application domain: c1db5830-1-129291000036654651 
    Application Virtual Path: / 
Exception information: 
    Exception type: CryptographicException 
    Exception message: Padding is invalid and cannot be removed.

You can search for these events in the eventlog:

logparser "select count(*) from *.evt where Message like '%Padding is invalid%'"

This should give you something like this:

COUNT(ALL *)
------------
0

Statistics:
-----------
Elements processed: 402859
Elements output:    1
Execution time:     40.75 seconds

If the count is larger than 0, then there were entries in the log that needs to be inspected.

In that case, the matches can be dumped to a file called e.g. dump.csv by logparser:

logparser "select * into dump.csv from *.evt
where Message like '%Padding is invalid%'" -o:csv

This will output a file where the data fields are comma separated.

Check the IIS log
To further check what's going on in your webserver, use LogParser to search for requests containing the aspxerrorpath= parameter:

logparser "select count(*) from mybusywebserver.log
where cs-uri-query like '%aspxerrorpath%'" 

Which should yield something like this:

COUNT(ALL *)
------------
551

Statistics:
-----------
Elements processed: 2147336
Elements output: 1
Execution time: 13.81 seconds

The above query was run on  a logfile from a server lacking the customerrors configuration trick suggested by ScottGu. Running it on a file from a server with the recommended customerrors tweak (with the responseRewrite) applied should yield (unless someone is attacking you):

COUNT(ALL *)
------------
0

Statistics:
-----------
Elements processed: 1008100
Elements output:    1
Execution time:     8.61 seconds

If your logfile contains entries with the aspxerrorpath parameter, run the query again, but this time dumping the results to a csv file for closer inspection:

logparser "select * into dump.csv from mybusywebserver.log
where cs-uri-query like '%aspxerrorpath%'" -o:csv

More on LogParser
LogParser can handle several files simultaneously, just use a wildcard like I did, e.g. *.evt. LogParser will also handle logfiles from several servers. Very handy if you have clustered webservers — you can analyze logs across your cluster!

Check out the Logparser forum for more details on the magic bits.

LogParser rocks!

19 comments:

  1. Replies
    1. یکی از بهترین سایت های موزیک برای دانلود آهنگ سایته: دانلود آهنگ جدید دانلود آهنگ قدیمی
      می باشد که دارای ارشیو کامل از

      Delete
  2. You should be really educated to understand this. And doing homework is very important here. By the way, you can check this out if you want to make your homework fun.

    ReplyDelete
  3. نحن في شركتنا نعمل علي دشن علمية لائحة علي أبحاث تحت مراقبة فنيين و كوادر على إستيعاب كامِل
    بمجال مكافحة الحشرات و المبيدات ؛ لهذا تقدم شركتنا عدد من الخدمات و الإجابات
    العاملة علي القضاء علي الحشرات و إبادتها كليا و نهائيا دون ظهورها أو عودتها مرة أخرى للموقع.
    القضاء الكامل علي الفئران و القوارض هائلة المقدار فى هذة الخدمة تنفرد شركتنا بمبيد خاص بها
    يميزها عن غيرها من المؤسسات في سرعة القضاء الفعلى علي الفئران و إضافة المادة عليها
    وضعها بأماكن هذه الحشرات بما يتناسب مع حجمها فسريعا ما ياكل منها الفئران بوحشية دون مقاومة .
    فتؤدي هذة المادة الي إعطاب الجهاز التنفسي للفئران و التخلص منها أثناء الساعات الأولي بعد الزيارة أو المكافحة مع مرحلة ضمان تبلغ الي عام فلا تترددوا فى التواصل بينا .
    شركة مكافحة حشرات
    شركة مكافحة حشرات بابها
    شركة رش مبيدات بابها
    شركة مكافحة النمل الابيض بابها

    ReplyDelete
  4. Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as

    yahoo mail myaccount login

    ReplyDelete
  5. Thanks for this valuable information sharing, and i learned a lot and cleared my all doubts in this.. keep posting like this useful information.
    post free classified ads in india

    ReplyDelete
  6. Thanks for this valuable information sharing, and i learned a lot and cleared my all doubts in this.. keep posting like this useful information.
    Scaffolding Dealers in Chennai
    Aluminium Scaffolding Dealers in Chennai

    ReplyDelete
  7. Thanks for sharing this wonderful information. I hope you will share more helpful information regarding the content.
    web portal development company in chennai

    ReplyDelete
  8. Thanks for sharing this wonderful information. I hope you will share more helpful information regarding the content.
    scaffolding dealers in chennai
    aluminium scaffolding dealers in chennai

    ReplyDelete
  9. This is a great success of Microsoft because through this, users will get benefits and solve their issues related to padding oracle check. This is a positive step towards success. Assignment writing services.

    ReplyDelete
  10. No person will serve on both staffs, no Editorial employee will be asked to perform duties on behalf of an advertiser.The WebMD Editorial staff is charged with the responsibility of providing objective, accurate, and balanced accounts of events and issues. WebMD reporters must diligently seek out subjects of stories or qualified experts to provide commentary. They also seek objective commentary or comment from a qualified spokesperson to provide balance.WebMD journalists strive to provide thorough and honest coverage and share a dedication tothe highest professional standards.Original Content ProcessThe content that we produce and the news that we feature is determined by our staff of physicians and medical journalists.

    "We had four games Best Yeezys and in Coach Outlet Clearance Sale those four games less people were injured than Jordan Shoes For Sale will most likely Cheap Michael Kors Handbags be injured in any MK Outlet Online single first Coach Outlet Online game in the NFL Nike Air Force 1 Cheap Outlet this year," Kwatinetzsaid duringa conference call (via Ray Ban Outlet The Associated Press). "People are injured in the NBA all the time, unfortunately. Cars crash in NASCAR and these things do happen..

    ReplyDelete
  11. I'll give some examples here on how LogParser can be helpful in detecting whether someone has been talking to the oracle in your ASP.NET enabled webserver. bed linen online , homechoice comforters , single bed sheets online , bridal bed sheet price , jersey duvet cover , single razai , plain sofa covers , velvet fitted sheet Note that LogParser is a command line utility and will open in a command prompt. Note also that some of the logparser commands included below have been broken over several lines to increase readability. If you experience problems, try running the command on ONE line in your command prompt.

    ReplyDelete
  12. ASP.NET is a developer platform made up of tools, programming languages, and libraries for building many different types of applications. I also make assignment on it with the help of how to write acknowledgement for dissertation at that I don't have knowledge about it but after reading your blog I got so many things. Thankyou so much for posting this informative stuff.

    ReplyDelete
  13. I am really happy to discover this website. All blog are very meaningful and valuable. We provide technical support for the emails related issues like how to fix Verizon Server Setting in Outlook.

    ReplyDelete

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts