CVE-2010-3332

EPSS 67.5%

Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."

Produtos afetados

n/a · n/a

PoCs públicas encontradas — 4

githubgithub.com/bongbongco/MS10-070★ 0 exploitdbwww.exploit-db.com/exploits/15213não verificado exploitdbwww.exploit-db.com/exploits/15265não verificado exploitdbwww.exploit-db.com/exploits/15292não verificado

⚠ Recursos públicos, para você avaliar a exposição de sistemas que controla ou está autorizado a testar. Teste apenas com autorização.

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx http://isc.sans.edu/diary.html?storyid=9568 http://pentonizer.com/general-programming/aspnet-poet-vulnerability-what-else-can-i-do/https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070 http://secunia.com/advisories/41409 http://securitytracker.com/id?1024459 https://exchange.xforce.ibmcloud.com/vulnerabilities/61898 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12365 http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310 http://twitter.com/thaidn/statuses/24832350146 http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2799/Oracle-Padding-Vulnerability-in-ASP-NET.aspx