Posts Tagged ‘’

Microsoft updates ASP.NET Flaw CVE-2010-333 with fix

September 29th, 2010 No comments

As mentioned earlier, the ASP.NET Session Security flaw has been keeping all .NET developers and Microsoft on the ball about possible exploits with their applications. Microsoft have updated their security advisory CVE-2010-333 with more information about the severity of the flaw – its taking Exchange and Sharepoint down with it too.

See Microsoft Security Bulletin MS10-070 for affected products and download the update fix for your setup 🙂

For ease of downloading, some configurations for you:

{lang: 'en-GB'}

ASP.NET Session Cookie Crypto Attack Exploiting

September 20th, 2010 No comments

If the Linux CVE-2010-3081: 64bit Linux Kernel Root Exploit didn’t get you, then this little birdy might. It seems the implementation of the AES encryption algorithm which protects the integrity of the Session Cookies in ASP.NET has a weakness which could enable an attacker to hijack sessions – Which bank? The idea behind the use of AES is to ensure that the crypt’d data hasn’t been tampered with – and hence decryptable, but unfortunately the flawed implementation of the use of AES and how it handles errors gives out some much needed clues for an attacker to pursue.

From TheThreatPost article:

In this case, ASP.NET’s implementation of AES has a bug in the way that it deals with errors when the encrypted data in a cookie has been modified. If the ciphertext has been changed, the vulnerable application will generate an error, which will give an attacker some information about the way that the application’s decryption process works. More errors means more data. And looking at enough of those errors can give the attacker enough data to make the number of bytes that he needs to guess to find the encryption key small enough that it’s actually possible.

There is a Microsoft Security Advisory (2416728) which gives some workarounds until a proper fix is made available. What’s really concerning is this little tidbitt from Thai Duong about Using their tool the Padding Oracle Exploit Tool or POET:

“It’s worth noting that the attack is 100 [per cent] reliable, [that is], one can be sure that once they run the attack, they can exploit the target. It’s just a matter of time. If the attacker is lucky, then he can own any ASP.NET website in seconds. The average time for the attack to complete is 30 minutes. The longest time it ever takes is less than 50 minutes.”

What’s really interesting is seeing the video of the exploit in action on dotnetnuke (don’t close your eyes). ScottGu has blogged about this exploit which goes into far more detail than I can, but if you’re keen there’s a nice document on using the Padding Oracle exploit and includes discussions regarding the JSF View state, cracking CAPTCHA schemes as well as some juicy details on CBC-R.

{lang: 'en-GB'}

ASP.NET MVC 2 released!

March 14th, 2010 No comments

Quick note that ASP.NET MVC 2.0 was released on Friday, still yet to play with the RTM, but don’t let me stop you. Go for it!

Link dump – mostly from Scott Hanselman’s announcement:

Exciting and just in time for a fairly large project we’re working on right now 🙂

{lang: 'en-GB'}

Bootilicious: MvcContrib 1.0 out

March 28th, 2009 No comments

Quick note that MvcContrib 1.0 is out! A perfect companion for ASP.NET MVC with some damn useful extensions to help you.

{lang: 'en-GB'}

Hot Panties: ASP.NET MVC Released!

March 19th, 2009 No comments

Microsoft ASP.NET

JIT for a deployment of UAT for a project we’re working on, Microsoft have released ASP.NET MVC framework as a final RTM only hours ago.

I’ve been working with the framework for the past couple of months and I have to admit its been a burst of fresh air from the standard webforms model.

Download a copy of the RTM and give the samples ago, its bootilicious and hopefully will bring a new cleaner way to write your ASP.NET sites in the future – not that you couldn’t do this before.

The other cool addition is the MVCContrib project which is a complimentary tidbit to help you.

See the ASP.NET MVC site for more information including the ASP.NET MVC Source and dont forget about the free eBook chapter from the upcoming book Professional ASP.NET MVC 1.0.

Ah, memories of Struts without the tears and the pain.

{lang: 'en-GB'}

Microsoft releases IE8 Beta 1 and ASP.NET MVC RC1

January 28th, 2009 No comments

Wow, what a stinking hot day today was, utter chaos on our public transport system (which they are explaining and not making excuses about just incase you got con’nexed into thinking that) so it was nice to spend some time on the beach like the rest of the crowd.

More importantly, news in the virtual werld is that Microsoft have released Internet Explorer 8 RC1 for everyone to test against. Essentially its now feature complete and will behave like RC1 at final RTM. So give that a go, if you were a tester you’ll be glad to know that your pre-RC1 copies will upgrade. You wont be able to install it on Windows 7 though!

If you want to peak Inside Internet Explorer 8 theres a good interview on Channel 9 with Dean Haachamovitch and Jason Upton.

Then, theres the release of ASP.NET MVC Framework RC1. See the release notes and take a look.

{lang: 'en-GB'}

HOWTO: Running ASP.NET 2.0 Ajax Toolkit 1.0.x in .NET 3.5 / SP1 IIS

October 1st, 2008 3 comments

We had a bit of a dilema at work today, we just sent a version of a web application we’ve been working on for the past few months to staging (testing) to our client. Our client mentioned a move to .NET 3.5 is pending on the boxes there and that they need to ensure the products we ship are compatible. Should be right?

We use the Microsoft Ajax Toolkit throughout the product in question, which is totally rad! The last version thats for .NET 2.0 is 20229 released in late February 2008, however with .NET 3.5 SP1 System.Web.Extensions and System.Web.Extensions.Design are already included which elivates the need to _install_ the AjaxControlToolkit.msi on the server itself. The only thing is that we need to redirect all binding references to the newer 3.5 code by using <assemblyBinding> (within <runtime>) in the Web.Config also known as Assembly Binding Redirection.

Our web-server setup:

Product Setup:

  • ASP.NET 2.0 (3.5 still uses the .NET 2.0 ASP.NET engine)
  • AjaxControlToolkit – v1.0.20229.20821

Compiled with Visual Studio 2005 SP1.

Within the <configuration> elements in the Web.Config file, add the following:

<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<assemblyIdentity name="System.Web.Extensions" publicKeyToken="31bf3856ad364e35"/>
<bindingRedirect oldVersion="" newVersion=""/>
<assemblyIdentity name="System.Web.Extensions.Design" publicKeyToken="31BF3856AD364E35"/>
<bindingRedirect oldVersion="" newVersion=""/>

If your developer machines do not have .NET 3.5 SP1 installed then the above lines will need to be commented out as the CLR will fail to attempt to load newer versions.

Thats it! You dont need to update any assemblies or any other Web.Config settings.

{lang: 'en-GB'}

Microsoft will support JQuery in the future!!!

September 29th, 2008 No comments

Mondays are always a drag, the weekends over, you have a full 5 days to get through before the next weekend – a steep contrast to my uni days, when all hope was pinned on waiting for the end of semester.

Yesterday Scott Guthrie posted some very exciting news about Microsoft supporting the JQuery project in the future.

I’m excited today to announce that Microsoft will be shipping jQuery with Visual Studio going forward.  We will distribute the jQuery JavaScript library as-is, and will not be forking or changing the source from the main jQuery branch.  The files will continue to use and ship under the existing jQuery MIT license.

We will also distribute intellisense-annotated versions that provide great Visual Studio intellisense and help-integration at design-time.

This is huge news and a very welcome suprise – especially for a Monday.

But wait, theres more:

Going forward we’ll use jQuery as one of the libraries used to implement higher-level controls in the ASP.NET AJAX Control Toolkit, as well as to implement new Ajax server-side helper methods for ASP.NET MVC.  New features we add to ASP.NET AJAX (like the new client template support) will be designed to integrate nicely with jQuery as well.

Can things get any better?

We also plan to contribute tests, bug fixes, and patches back to the jQuery open source project.  These will all go through the standard jQuery patch review process.

Turns out to be a not so bad Monday after all, now if we could just work on the traffic around Melbourne.

{lang: 'en-GB'}

TIP: Quick tip on how to Debug ASP.NET Web Application Deployed in IIS

September 8th, 2008 1 comment

Heres a real quick tip (+ info) on how to debug a ASP.NET Web Application/Site when running inside IIS itself. After the launch of Whidbey (Visual Studio 2005) we didn’t really need to have Internet Information Services (IIS) installed thanks partly to the bundled hosting engine (based on Cassini). But sometimes – just sometimes  🙄 – when you deploy your ASP.NET web apps to IIS you’ll find things break – like we just experienced – unlike running via the internal web-server.

To debug an already running IIS process – with the project loaded.

  1. Debug > Attach to Process
  2. Select either aspnet_wp.exe or w3wp.exe. (see note below)
  3. Enter a break-point somewhere in your code
  4. Visit the page/refresh.

Sometimes you may need to untick “Enable Just My Code (Managed Only)” in the Options > Debugging list.

Why the aspnet_wp.exe and w3wp.exe difference?

If the IIS server is running under IIS 5.0 Isolation Mode, then you need to attach to the ASP.NET Worker Process (aspnet_wp.exe) where as if your running under the Worker Process Isolation Mode (which is the default in IIS 6.0) you will need to attach to the w3wp.exe process.

From the TechNet Documentation:

Worker process isolation mode delivers all the benefits of IIS 6.0 new architecture: robust application pooling; automated restarts, scalability, debugging; and finely-tuned performance tuning. Web applications run with the Network Service identity, which provides a security advantage: the Network Service account has lower access privileges than LocalSystem.

In version 5.x of IIS the ASP.NET ISAPI Filter (aspnet_isapi) which is an unmanaged piece of code that runs within the inetinfo.exe process that offloads the work to the ASP.NET Worker Process (aspnet_wp) that trickles the workload down the rabbit hole.

However in IIS 6.x the process is a little different, specifically we have a kernel mode HTTP driver (http.sys) which ships apart of the Windows Networking subsystem. This acts as the gateway for the incoming requests for the web-server. It first parses the request and dispatches it to the IIS 6.0 Worker Process (w3wp.exe) which then loads the ASP.NET ISAPI (aspnet_isapi) and follows on down the rabbit hole.

Read the TechNet articles on more information about the HTTP Protocol Stack in IIS 6.0.

Just how far down does the rabbit hole go?

If your interested in learning more about the internals of the ASP.NET Worker Process and inparticular how ASP.NET works ‘under the hood’ you’re best to look at Rick Strahl‘s *excellent* article – A Low-Level look at teh ASP.NET Architecture which just got updated late last month (24th)!

{lang: 'en-GB'}