Penetration Testing mailing list archives
RE: Spoofing .NET ViewState (MAC config details)
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Fri, 13 Jan 2006 16:15:59 -0600
inline; I removed parts of HD's post & added clarifications; recommend reading HDs original post for his full quality ideas.
-----Original Message----- From: H D Moore [mailto:sflist () digitaloffense net] The ViewState has a 'MAC' appended to the end by default. If you modify the ViewState with ViewStateMac enabled (default in web.xml),
--ViewState enableViewStateMac is specified in both machine.config and web.config (the first being more of a global config and the latter allowing for application/VD specific configs and can be nested hierarchically in app directories) --enableViewStateMac defaults off in .NET 1.0 --enableViewStateMac defaults on in .NET 1.1 & 2.0, though I recall MS official documentation states that it is off for 1.1 --you can also control enableViewStateMac=true/false at the page level via directive (<%@Page enableViewStateMac='false' %>) or script Page.EnableViewStateMac = false;
the .NET layer will mark it as invalid and the error handler will be invoked. This MAC is either a MD5 or SHA-1 hash of the ViewState data plus
--If enableviewstatemac is on in the environment you are attempting to submit your made-up viewstate, it will get dumped, in short... http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000007.asp --The file machine.config, is located by default outside the published webroot in: %systemroot%\Microsoft.NET\Framework\$version_number\CONFIG\machine.config --SHA1 is the default hash, at least in .NET 1.1 --You can specify encryption of Viewstate as well; 3DES or AES
2) If you can force the application to place your data into the ViewState, you can replay the MAC'd VS string for the life of the key. The VS has a Page ID embedded within it, this should prevent that VS from being valid on any other pages, however in 1.0 it was not enforced (IIRC), not sure about 1.1 or whatever the latest version is.
3) If you break into the .NET server, you can hardcode the encryption key and view state key inside web.xml - if you modify the default web.xml file (somewhere in System32?)
--file is machine.config; see above --Recommend double-check my statements on MSDN. I am <!=$default_sleep_requirements at the moment, -ae ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Spoofing .NET ViewState (MAC config details) Evans, Arian (Jan 14)