- ViewState code injection attacks can lead to remote code execution, Microsoft warned
- Many devs are not generating their own machine keys for ViewState
- There are thousands of publicly available keys cybercriminals can use
Cybercriminals are abusing a weakness in ASP.NET websites to remotely execute malicious code, according to Microsoft’s Threat Intelligence team, which has published an in-depth analysis on the new method.
In the article, Microsoft explained threat actors were injecting malicious code through a method called ViewState code injection attacks.
ViewState is a feature in ASP.NET websites that helps remember user input and page settings when the page is refreshed. It stores this information in a hidden part of the webpage so that when the user interacts with the page again, it can reload the saved data without losing anything.
Accepting malicious code
As it turns out, many developers are using machine keys (security codes designed to protect the website’s ViewState data) that they find online, rather than generating their own. These machine keys are intended to prevent tampering with ViewState, which tracks data on web pages as users interact with them.
However, if developers can find these keys, so can criminals. When they do, they can use them to inject harmful content into a website’s ViewState. Because the machine key is the same as the one the website expects, the server decrypts and processes the malicious code, allowing attackers to run their own commands on the server. This can lead to remote code execution, Microsoft warned.
The researchers found more than 3,000 publicly disclosed keys that can be used in these attacks. In some cases, the researchers added, developers might unknowingly push these public keys into their code, as well.
To prevent these attacks, Microsoft advises developers to generate their own machine keys, avoid using default or publicly available ones, and secure sensitive data by encrypting parts of their configuration files.
Upgrading to a newer version of ASP.NET is also recommended, as is using security features such as the Antimalware Scan Interface (AMSI).
Microsoft also provided instructions on how to remove or replace the insecure machine keys from the server’s configuration files and removed examples of these keys from its public documentation to discourage the insecure practice.
