The Code Behind The Vulnerabilty
At the Developer Developer Developer 13 conference in Reading, UK, the third talk I visited was The Code Behind The Vulnerability by Barry Dorrans.
Thank you very much Barry for flying over to the U.K. just to give this talk to us, and I hope to see you again before another 7 years have past!
Barry warned that he was very sweary on his Twitter account, and said in the States he was often told he wasn’t allowed to say a lot of the things he says, and that replies that it is a British cultural thing and that has to be allowed because it is being inclusive and Microsoft is all in favor of that :-)
His presentation style was markedly different to the other speakers who tend to be very carefully not to accidentally offend anyone. I don’t know if anyone in the audience was offended, but the talk did receive a lot of laughs.
The talk covered eight major security incidents, how Microsoft fixed them and what we should know in order to avoid security problems ourselves.
Barry explained the process that Microsoft go through when they receive news of a vulnerability. Barry personally signs cheques to reward people who report vulnerabilities to them.
The talk covers the following vulnerabilities:
- Hash DoS — MS11–100 CVE-2011–3141
- Padding Oracle — MS10–070 CVE-2010–3332
- SharePoint ViewState — MS13–067
- Infinite Regex DoS — MS15–101
- XSS in ASP.NET Core with Raw HTML
- Griefing via CSRF
- Malware via WSDL
- Mistrusting user input
There is information on these and many many more security issues on Microsoft’s Security Advisories and Bulletins site
Barry said although you should not use BinaryFormatter, some developers might been in situations where they have to use it. In that situation the code in the screenshot below is not Microsoft officially recommended code (use at your own risk) but might work for you.
Infinite Regex is just one example of how nasty Regular Expressions can be. The sheer complexity of them makes it hard to recognize all the possible permutations. In this case Microsoft just added a timeout to protect your application servers from freezing up due to malicious inputs.
Barry recommends against using regular expressions to validate inputs.
If you do use regular expressions, set a global regex timeout.
A newer vulnerability is XSS in ASP.NET Core
The French Microsoft MVP, Kévin Chalet, also discovered CSRF in ASP.NET Core.
Even more seriously, there was recently a Nation state attack on the Ukraine involving abuse of the Web Services Discovery Language.
There was a bug inside the IsValidUrl validator. Barry suggested this may have been taken advantage of by “the unknown nation of Russia.”
BEST. SLIDE. EVER!
I was left wondering which time machine Barry used to find out that Microsoft MVP Mikhail Shcherbakov reported a 2018 CVE in 2019. This one relates to the UrlHelper:
This becomes a problem when password reset emails become involved.
You can avoid problems by limiting the hosts you listen to just the ones that you need, and properly validating your inputs.
Also covered in the talk was Cypher-Block-Chaining mode with symmetric encryption
For more information on the need to add authenticated signatures to encrypted data, see the Microsoft guidance for CBC Symmetric Encryption Security Feature Bypass.
Next up was Bad encoding:
Barry calls the next issue I i Captain. You would expect this comparison to always be true, but this is because we have an English bias. What about other languages?
Barry gave a demo using the Turkish language settings, and we saw the comparison evaluated to false.
The Thai language can also create security problems because unlike other languages it has no punctuation marks.
