Please i have a problem in running poet.py in python script.it says insufficient argument.pls help!

So - assuming you have CustomErrors not set to "Off" and and redirectmode set to "ResponseRewrite" - does this protect you from this vulnerability? Or is this irrelevant?

NameError: global name 'reduce' is not defined

I have the following error when write this function in pyton

Traceback (most recent call last):

I have the following error when write this function in pyton

I want the poet.py too...

can any one please let me know t site for poet.py ... i tried jar file for the same but its not working. want to give a try for python. an immediate help will be great.

Does anyone know the name of this song?

@tiagobevilaqua Google for the lyrics. "just believe me girl sometime I'll pay the bills with this guitar" should do the trick.

@joertjoert My Listening is not good enough for that. But it took using the Shazam! - "Plain White Ts - Hey There Delilah".

@joertjoert My Listening is not good enough for that. But it took using the Shazam! - "Plain White Ts - Hey There Delilah".

@joertjoert My Listening is not good enough for that. But it took using the Shazam! - "Plain White Ts - Hey There Delilah".

Why would anyone save information about a user's login name or security access in a cookie? This should be set in the Session object instead. That way the only cookie set is the cookie that is the ASP.NET Session ID.

@wydok ASP.NET Form Authentication works that way. Regardless of what we might think about it, it is a design decision of Microsoft, DotNetNuke is just following "the standard way to do it".

@wydok

authentication mode="Forms" forms name=".DOTNETNUKE" protection="All" timeout="120" cookieless="UseCookies" /

If you browse the source code, you can easily determine what they have put in the auth cookie.

If it had been closed source, you could achieve the same with reflection (or simply copying the cookie into a an app which decrypts the key).

Basically, ASP.NET Form Auth cookies are 100% f*cked once your keys are in the hands of the bad guys.

Okay, so this Poet tool using a bug in ASP.NET in how it handles padding, and uses a brute force method to send multiple requiests to an ASP.NET website until it gets a correct response and is able to use that to find the encryption key.

But how does POET then use that key to determine the proper cookie to set to give a user admin privledges?  Is it based on the concept that .dotNetNuke uses a specific username as the superuser?

this is completly stupid !!!!

and have nothing to do with ASP.net

good job, thai. You really nuked M$ LOL

OMG guys, this is absolutely perfect, I can't say anything else, but congratulations!

uggghh

The things people do for momentary fame. Get a life. Don't you people have anything better to do than threatening the whole world? You guys have some serious skillz that could definitely be put to better use.

@MrPrahalath That's how security research progresses. This is good work.

@MrPrahalath If this guy doesn't find the problem and work towards fixing it, then somebody else will find the problem and work towards exploiting it. I hate to put words in your mouth, but it sounds like you're saying "don't look for a problem, focus on more important things." With a foundation as widely accepted as ASP.Net, the problem is the important thing and it does need to be fixed.

@coreyogburn momentary fame: This particular software "bug" or whatever you guys call it was exposed to the public *before* the relevant authorities were notified about it. This was the real security risk imo -- with video instructions on youtube on how to go about breaking into an ASP.NET installation.

What part of this problem can cryptbe accept responsibility for? He just went "oops..." while everyone else was scrambling desperately to find a solution to the problem.

@MrPrahalath papers published since 2002 define class of vulnerabilities. 8 years would satisfy "due time" for crypto vendors to remedy Padding Oracle attack?

And the CBC-R works cause ASP.NET does Encypt-Without-MAC, which you have to go back to medieval times for people not to know it is a vulnerability.

Microsoft failed in many ways here.

I don't know when or if MSRC was notified, it is interesting that ASP.NET was omitted in the first papers by these guys. Was this really "0-day"?

@randomgeocacher

The old hacker opinion seems to be: "Lets screw it up so that SOMEONE ELSE CAN HANDLE IT BETTER in the future"

0-Day:

No matter what form 0-Day takes (...if ever), it will inevitably consist of many many tiny "SOMEONE ELSE WILL HANDLE IT" moments. This can be seen in explosions and wars and other areas where people are afraid.

Since the internet is the internet only because everyone is using it, a person is either a part of the problem or a part of the solution.

@MrPrahalath See section D. of RFP policy and compare to MSRC: weird response, followed by months of no fix. Guess why people arent complying? See statements from veracode researchers etc as well

@coreyogburn Nothing in this world is perfect. This is something we all know. You can buy the most expensive car in the world and it *will* come with some imperfection. This is a fact. Timing and the order in which one does something is also an important factor in getting things right.

cryptbe, you and the hoax artists that presented this at ekoparty and made this video are clowns. Anyone who knows ASP.NET and DNN knows you rigged this for breakage. Your video shows plainly that the setup not only doesn't follow best practices, but doesn't even have the default DNN install protections in place. Quit claiming the MS work-around won't work, and PROVE it.

fag. get rid of the gay music and maybe ill watch instead of thumbs down 5 seconds in.

hi guys! how would somebody get a hold of your web.config in the root folder?

@cryptbe I have to ask: are those encryption & mac keys really broken directly by the attack, or just by the access it gains to the web.config file?

I would like to see visual proof that leaving the customerror = on doesn't stop this.

I love the song in the background!

Can't belive this.....

I hope microsoft fixes this soon...

Will your tool work with customErrors set to RemoteOnly? According to a recent Technet Blog post, setting customErrors to RemoteOnly will plug the security hole.

Tried this with the JAVA version and it crashes once it has detected the key in the form. Is the python version available?

That's very cool....

Scary. Easy to thwart. You need to turn customErrors ON and set a defaultRedirect to a standard error page.

You can read about it at ScottGu's Blog.

Nice, is poet.py available for download anywhere?

Thai, what did you do to the server? The song sounds very sad.

Is it true that you guys threw usb keys out into the audience containing this, before giving MS a chance to respond?

The internet.. as a whole... hates you.

Downvoted for douchey music.

Wow... pwned from a Mac to boot.

Given the inappropriate disclosure of the vulnerability it's probably not advisable to share this type of content until the vendor has had an opportunity to respond appropriately. Ethical debate of the content aside the video also violates copyright with the music being used in the background.

What is the song?

@sharok89 Hey There Delilah by Plain White T's

@yaonya thanks

Where I can find POET tool? I'd like try it myself

poet crashes often....

its also inconsistent i.e. the same link can return no forms even though it has previously recognized the forms.

Very misleading. Unless you provide a proof a that this can be done with CustomErrors ON, the whole issue is irrelevant.

Well done man....

I'm working on this right now

I got questions though.. first off the poet tool used here is in PYTHON as opposed to the java one on your site.... will you release this one as well?

What controls do you recommend? its kinda hard to answer without knowing the context but aside from using libraries tat don't follow the incorrect PKC-5 implementation?

Padbuster is also good

se vende 0 day !! :)

By the way, no-one in their right mind sets customerrors=off on a public web server. That's a very basic ASP.NET concept.

Please, I'd love to see you hack an authentication cookie with customerrors=on. Once you get a standard 500 error, how will you tell whether your request failed during decryption or MAC validation?

@cryptbe: So you're saying CustomErrors=Remote and setting those error pages doesn't prevent this when you say the setting is "irrelevant"?

:8...

Was this machine running at ASP.NET "Full Trust"?

The exploit is possible that ASPNET app returns an error in case the cipher is invalid. Weather you use a custom error screen or a default screen is irrelevant. As long as you can detect an abnormal response when sending an "incorrect" (actually modified) cipher, your app is vulnerable.

@Drysar0: ha! thanks for pointing out. We made a mistake because we are new to ASP.NET, and we wanted to demonstrate that error message is irrelevant, so we skimmed the documentation and thought that setting CustomErrors="Off" is the most secure.

What we can say is the setting of CustomErrors is _irrelevant_. We presented this at EKOPARTY, and we're going to release the slide deck soon.

@eafoundation deleted last comment

thaidn answred

@cryptbe Name of song?

@cryptbe Does that mean that the security advice Microsoft are giving out is therefore wrong? If so, how do we go about securing websites based on ASP.NET from this type of attack?