A new VIEWSTATE attack method on ASP.NET?

[HK]

My website emails me when it raises an exception. I'm getting about 10
emails per day that look similar to this, but in each, the IP address and
port, and the email-looking stuff, are different. Here is an example
below. Any thoughts??? By the way, my firewall doesn't allow activity
from the outside world on these ports, to the web server, and I think the
remote person is connecting to the webpage via a standard http connection
because my error handler is telling me the web pages they're connecting to.
It looks like someone has found a flaw whereby they try to relay mail
through manipulating the viewstate.

Sample:

System.Web.HttpException: Invalid_Viewstate
Client IP: 194.158.xx.xx (I commented out the last digits; IP varies each
time; not mine)
Port: 33282
User-Agent:
ViewState: oney
Content-Type: multipart/alternative;
boundary=81dccccf6d901ae3f383431692835cf7
MIME-Version: 1.0
Subject: said einrich, with
bcc: (e-mail address removed)

This is a multi-part message in MIME format.

--81dccccf6d901ae3f383431347835cf7
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

some text goes here in each one of these where this text looks like some
email body text
--81dccccf6d901ae3f383431347835cf7--

..

Http-Referer: http://www.MyCompanysDomainGoesHere.com/
Path: /Default.aspx. ---> System.FormatException: Invalid character in a
Base-64 string.
at System.Convert.FromBase64String(String s)
at System.Web.UI.LosFormatter.Deserialize(String input)
at System.Web.UI.Page.LoadPageStateFromPersistenceMedium()
--- End of inner exception stack trace ---
at System.Web.UI.Page.LoadPageStateFromPersistenceMedium()
at System.Web.UI.Page.LoadPageViewState()
at System.Web.UI.Page.ProcessRequestMain()

 

[Guest]

HK,
This is not the place to report an attack on your web site.

 

[Juan T. Llibre]

Read this :

http://forums.asp.net/1042237/ShowPost.aspx

 

[HK]

Great thread. Good to see I'm not alone and others have the same suspicions
as me that this is something like a SQL Injection attack. Are we going to
learn from Microsoft in 3 months that there has been a big security hole in
the viewstate handler?

Anyone learned more about this?

 

[HK]

I disagree. I've helped countless people in this forum before, and the
nature of my post is specific to IIS and ASP.NET's handling of viewstate.
I wasn't posting about some general denial of service attack that has
nothing to do with ASP.NET. If there is a general viewstate flaw, I trust
people in this group want to know, or perhaps they have more information.

 

[Juan T. Llibre]

re:

If there is a general viewstate flaw, I trust people in this group want to know

I sure do...

 

[Terry Burns]

I admit it's odd, Im watching this message to see if there is a resolution.

Good Luck

 

[Alvin Bruney - ASP.NET MVP]

The issue is being caused because the formatter cannot serialize extremely
small numbers correctly. There is a service hot fix for this but I really do
not recall a link to fix this issue.

You can also see a related article here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;555353

--
Regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
The Microsoft Office Web Components Black Book with .NET
Now Available @ www.lulu.com/owc
Forth-coming VSTO.NET - Wrox/Wiley 2006

 

[HK]

That may be true, but I'm getting the errors on pages where people can't
type the type of stuff they are typing. Pages where people aren't being
asked to type anything. And the text always looks like an email.

The issue is being caused because the formatter cannot serialize extremely
small numbers correctly. There is a service hot fix for this but I really do
not recall a link to fix this issue.

You can also see a related article here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;555353

--
Regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
The Microsoft Office Web Components Black Book with .NET
Now Available @ www.lulu.com/owc
Forth-coming VSTO.NET - Wrox/Wiley 2006
-------------------------------------------------------

I admit it's odd, Im watching this message to see if there is a resolution.

Good Luck

about

10

 

[Alvin Bruney - ASP.NET MVP]

So there are two issues here right? One issue is that you do not know the
trigger for these emails and the other is that the CLR cannot handle the
conversion. I can't help you on issue number 1. For issue 2, the stack trace
indicates exactly what the problem.

as me that this is something like a SQL Injection attack

Possible. One way to identify intruders is to turn on or view your server
logs. These logs contain valuable information that may be used to determine
the identity of foreign requests.

--
Regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
The Microsoft Office Web Components Black Book with .NET
Now Available @ www.lulu.com/owc
Forth-coming VSTO.NET - Wrox/Wiley 2006
-------------------------------------------------------

That may be true, but I'm getting the errors on pages where people can't
type the type of stuff they are typing. Pages where people aren't being
asked to type anything. And the text always looks like an email.

The issue is being caused because the formatter cannot serialize extremely
small numbers correctly. There is a service hot fix for this but I

really

do
not recall a link to fix this issue.

You can also see a related article here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;555353

--
Regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
The Microsoft Office Web Components Black Book with .NET
Now Available @ www.lulu.com/owc
Forth-coming VSTO.NET - Wrox/Wiley 2006
-------------------------------------------------------

I admit it's odd, Im watching this message to see if there is a resolution.

Good Luck

--
Terry Burns
http://TrainingOn.net


Great thread. Good to see I'm not alone and others have the same
suspicions
as me that this is something like a SQL Injection attack. Are we going
to
learn from Microsoft in 3 months that there has been a big security hole
in
the viewstate handler?

Anyone learned more about this?


Read this :

http://forums.asp.net/1042237/ShowPost.aspx





My website emails me when it raises an exception. I'm getting

about

10
emails per day that look similar to this, but in each, the IP address
and
port, and the email-looking stuff, are different. Here is an example
below. Any thoughts??? By the way, my firewall doesn't allow
activity
from the outside world on these ports, to the web server, and I think
the
remote person is connecting to the webpage via a standard http
connection
because my error handler is telling me the web pages they're connecting
to.
It looks like someone has found a flaw whereby they try to relay mail
through manipulating the viewstate.

Sample:

System.Web.HttpException: Invalid_Viewstate
Client IP: 194.158.xx.xx (I commented out the last digits; IP varies
each
time; not mine)
Port: 33282
User-Agent:
ViewState: oney
Content-Type: multipart/alternative;
boundary=81dccccf6d901ae3f383431692835cf7
MIME-Version: 1.0
Subject: said einrich, with
bcc: (e-mail address removed)

This is a multi-part message in MIME format.

--81dccccf6d901ae3f383431347835cf7
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

some text goes here in each one of these where this text looks like
some
email body text
--81dccccf6d901ae3f383431347835cf7--

.

Http-Referer: http://www.MyCompanysDomainGoesHere.com/
Path: /Default.aspx. ---> System.FormatException: Invalid

character
in

a
Base-64 string.
at System.Convert.FromBase64String(String s)
at System.Web.UI.LosFormatter.Deserialize(String input)
at System.Web.UI.Page.LoadPageStateFromPersistenceMedium()
--- End of inner exception stack trace ---
at System.Web.UI.Page.LoadPageStateFromPersistenceMedium()
at System.Web.UI.Page.LoadPageViewState()
at System.Web.UI.Page.ProcessRequestMain()