[tptacek]

Exactly how do you know that? Juliano used his pre-existing tool (POET) to get admin privileges on DotNetNuke, without ever having used DNN --- or, presumably, modifying his tool. DNN is not an obscure .NET app.

What makes you make a comment like this? What evidence are you basing it on?

[ergo98]

>Exactly how do you know that?

I have never worked on an ASP.NET-based site that relied upon cookies, encrypted or not, for anything. Even where the built-in forms authentication was used the username always had correlating server-side state that was triumphant.

So saying that you can modify cookies == a complete and utter non-issue for any site that followed any reasonable security practices.

[tptacek]

The easy answer here is to say, "you mean besides DotNetNuke".

The deeper answer would be to point out that my day job is security evaluation for apps, roughly 50% of which are Fortune-100 web applications, roughly 60% of which are .NET applications, and you're flat-out wrong. There's a reason why cookie/session security is #3 on the OWASP top 10.

You're also presuming that the issue being discussed is, specifically, a cookie.

I understand why you're as defensive as you are; you're a professional .NET developer and Hacker News is hostile to Microsoft and, especially, .NET. Listen to me: I am not hostile to Microsoft or .NET. Microsoft is a client of ours. They do software security better than any company in the industry. Take my word for it: it appears that they screwed this one up just like everyone else that tries to encrypt with AES.

[ergo98]

>The easy answer here is to say, "you mean besides DotNetNuke".

Yes, I see you've already mentioned DNN. It's good that you have that example. It would be interesting if I somehow claimed that every app is immune to it.

Countless apps have countless vulnerabilities.

>You're also presuming that the issue being discussed is, specifically, a cookie.

I know that the issue being discussed is specifically a cookie. It's specifically an AES-encrypted cookie.

To your edit: Defensive? Hardly. I'm just bitter after an endless stream of B.S. security claims by the security industry. It always follows the same pattern of arm waving and press releases, with a promised demonstration, and then the day of reckoning comes and...quiet. Maybe this will be the exception but, we'll see.

This has nothing to do with any sort of loyalty to .NET, though I hardly find HN to be anti-.NET, or anti-Microsoft for that matter. Whatever, in any case. It isn't my fight to wage.

[brl]

"It always follows the same pattern of arm waving and press releases, with a promised demonstration, and then the day of reckoning comes and...quiet."

A few minutes ago, live on stage at a security conference in Buenos Aires (#ekoparty) they popped local SYSTEM privileges remotely on both DotNetNuke and SharePoint installed in a typical production configuration.

In case you think they stacked the deck, those applications were chosen only a couple of days ago after Juliano asked on Twitter for suggestions for the presentation.

[ergo98]

What do you mean by "local SYSTEM"?

I eagerly look forward to details on it. Where might I find them?

[brl]

> What do you mean by "local SYSTEM"?

The highest system privilege level on Windows. They were able to interactively run CMD.EXE as the LocalSystem account on the remote web server.

> I eagerly look forward to details on it. Where might I find them?

The details were not disclosed until today when the attack was presented at a security conference. As far as I know there isn't anything available online yet, but that should change very soon.

[tptacek]

You have their deck or their paper? URL? I'm a casual acquaintance of both Juliano and Thai, and friends with other Netifera people, and so all I have to go on is what they've told me. I'd be interested in reading the actual material.

You have it, right? You sound like you do. Otherwise, how would you know how serious the issue is?

[ergo98]

That's a nice shtick (the defensive bit was my favourite addition). It's also facile.

They specifically detailed that it's an AES cookie encryption attack, yet you're acting like I'm going on a limb saying that?

[wglb]

So it isn't exactly an AES Cookie Encryption Attack, it is actually worse: http://www.ekoparty.org/juliano-rizzo-2010.php

The most significant new discovery is an universal Padding Oracle affecting every ASP.NET web application. In short, you can decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the framework's API!

[wglb]

Where did they specifically detail that it is an AES cookie encryption attack?