RE: Spoofing .NET ViewState (MAC config details)

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

inline; I removed parts of HD's post & added clarifications;
recommend reading HDs original post for his full quality ideas.

> -----Original Message-----
> From: H D Moore [mailto:sflist () digitaloffense net] 
>
> The ViewState has a 'MAC' appended to the end by default. If 
> you modify the ViewState with ViewStateMac enabled (default in web.xml),

--ViewState enableViewStateMac is specified in both machine.config
and web.config (the first being more of a global config and the
latter allowing for application/VD specific configs and can be
nested hierarchically in app directories)

--enableViewStateMac defaults off in .NET 1.0

--enableViewStateMac defaults on in .NET 1.1 & 2.0, though I recall
MS official documentation states that it is off for 1.1

--you can also control enableViewStateMac=true/false at the page level
via directive (<%@Page enableViewStateMac='false' %>)
or script Page.EnableViewStateMac = false;

> the .NET layer will mark it as invalid and the error handler will be 
> invoked. This MAC is either a MD5 or SHA-1 hash of the ViewState data plus

--If enableviewstatemac is on in the environment you are attempting to
submit your made-up viewstate, it will get dumped, in short...

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000007.asp

--The file machine.config, is located by default outside the published webroot in:

%systemroot%\Microsoft.NET\Framework\$version_number\CONFIG\machine.config

--SHA1 is the default hash, at least in .NET 1.1

--You can specify encryption of Viewstate as well; 3DES or AES

> 2) If you can force the application to place your data into 
> the ViewState, 
> you can replay the MAC'd VS string for the life of the key. 
> The VS has a 
> Page ID embedded within it, this should prevent that VS from 
> being valid 
> on any other pages, however in 1.0 it was not enforced 
> (IIRC), not sure 
> about 1.1 or whatever the latest version is.
 
> 3) If you break into the .NET server, you can hardcode the 
> encryption key and view state key inside web.xml - if you
> modify the default web.xml file (somewhere in System32?)

--file is machine.config; see above

--Recommend double-check my statements on MSDN. I am
<!=$default_sleep_requirements at the moment,


-ae





------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------