Flaw in web app frameworks pushes Microsoft to patch ASP.net promptly

The way many web app frameworks handle hashes makes them vulnerable to a denial-of-service attack, researchers revealed
  • (IDG News Service)
  • — 30 December, 2011 00:37

Many web app frameworks are vulnerable to a denial-of-service attack targeting the way they handle hash tables, researchers revealed Wednesday, prompting Microsoft to announce an "out-of-band" patch for its ASP.NET platform just hours later.

Hash tables are used to store and retrieve data rapidly, allocating the data to different slots in the table based on the results of a calculation -- the hash function -- performed on the data itself. Ideally, the hash function would return a different result, or hash, for each possible item of data, but this is not achievable in practice, so implementations of hash tables have to deal with 'hash collisions,' where two or more different pieces of data generate the same hash.

A collision slows the storage and retrieval of the data involved, the time taken for those operations typically increasing with the square of the number of items involved in the collision, according to Alexander "alech" Klink of German security consultancy n.runs and Julian "zeri" Wälde of Darmstadt Technical University.

An attacker with knowledge of how a web application calculates hashes can send it a batch of data sure to result in many collisions, "making it possible to exhaust hours of CPU time using a single HTTP request," Klink and Wälde warned in an advisory on Wednesday.

PHP 5, Java and ASP.NET are all vulnerable to the attack, the two said in their advisory and in a related presentation at the Chaos Communication Congress in Berlin.

Microsoft published a security advisory later Wednesday, acknowledging that a vulnerability in ASP.NET could allow a denial of service attack, and suggesting a work-around for the problem. Shortly afterwards the company announced that it will break from its regular monthly security update schedule to release a patch for the vulnerability on Thursday at around 10 a.m. Pacific Time.

Klink and Wälde said in their security advisory that the Java application server Apache Tomcat had already been patched "to limit the number of request parameters using a configuration parameter," stopping an attacker from causing too many hash collisions at once. "The default value of 10,000 should provide sufficient protection," they wrote. The update can be found in Tomcat versions 7.0.23 and 6.0.35 onwards.

Web application platform developers had plenty of warning of the problem, according to Klink and Wälde: The attack was described as long ago as 2003, they said, in the Usenix Security paper "Denial of Service via Algorithmic Complexity Attacks" by Scott A. Crosby and Dan S. Wallach.

Changes were made to Perl that year to randomize the way hashes are calculated, preventing attackers from calculating collisions ahead of time, and similar changes were subsequently made to CRuby from version 1.9, they said.

Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at peter_sayer@idg.com.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Peter Sayer

IDG News Service
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?