Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
cyberplace.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Cybersecurity, fandom, video games, technology, dog photos and most importantly, you.

Administered by:

Server stats:

961
active users

cyberplace.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Kevin Beaumont

Microsoft released a blog this week which I don’t think people have fully understood the implications of, but it’s great research and a great attack by the threat actor.

I think it’s highly likely multiple threat actors will now jump on this, it’s even automatable.

The attack:

1) take a web.config file. They’re really easy to find.
2) POST request to RCE in IIS

The architecture of .net means this is surprisingly easy to do and you don’t patch your way out of it.

microsoft.com/en-us/security/b

Microsoft Security Blog · Code injection attacks using publicly disclosed ASP. NET machine keysMicrosoft Threat Intelligence observed limited activity by an unattributed threat actor using a publicly available, static ASP.NET machine key to inject malicious code and deliver the Godzilla post-exploitation framework. In the course of investigating, remediating, and building protections against this activity, we observed an insecure practice whereby developers have incorporated various publicly disclosed ASP.NET machine keys from publicly accessible resources, such as code documentation and repositories, which threat actors have used to launch ViewState code injection attacks and perform malicious actions on target servers.
Feb 07, 2025, 07:23 AM·Public
87boosts·98favorites
Public
Kevin Beaumont

I’ve bookmarked this thread so it doesn’t auto delete the toots, put it that way. You could just automate spraying the internet with this one.

Quiet public
Alex

@GossiTheDog o_O what in hades is this abomination?

Public
Charlotte

@GossiTheDog Ah viewstate, best of intentions and the worst of implementations 😃

Public
buherator
@GossiTheDog The dangers of exposing ViewState encryption keys (or encryption oracles) were popularized at least by 2010 because of the padding oracle fixed with MS10-070:

https://web.archive.org/web/20101225182433/http://netifera.com/research/poet//PaddingOraclesEverywhereEkoparty2010.pdf

Similar attacks can be executed against frameworks that also protect stateless session data with encryption/MAC's, see CVE-2018-15133 of Laravel:

https://mogwailabs.de/en/blog/2022/08/exploiting-laravel-based-applications-with-leaked-app_keys-and-queues/

We've been hunting for web.config's during pentests too - the latest exploit I remember must've been written around last December by teammate based on a file read vuln exposing web.config.

So yeah, don't expose your private keys... If you do, that's not the problem of the crypto system (or ASP.NET in this case).
web.archive.orgWayback Machine
Public *
JA

@buherator @GossiTheDog There's long list of "default" secret keys used for JWT and session cookies collected in various github projects. Similarly on Ruby on Rails, Django the secret session key can lead to RCE through unmarshalling. JWT can give you admin role etc.

github.com/wallarm/jwt-secrets

GitHubGitHub - wallarm/jwt-secretsContribute to wallarm/jwt-secrets development by creating an account on GitHub.
Public
zaicurity

@GossiTheDog MS Defender alerts if it finds configs with those leaked keys. Quite useful

Public
buherator
@mttaggart @GossiTheDog Some recurring themes in these repos are 1) abandonware 2) test/training code

Also, TIL you can use boolean expressions, e.g. you can filter for autogenerated keys:

https://github.com/search?q=%3CmachineKey+validationkey+path%3Aweb.config+NOT+autogenerate&type=code
ExploreLive feeds
About