Microsoft: Thousands of Public ASP.NET Keys Allow Web Server RCE

Website developers are unwittingly putting their companies at risk by incorporating publicly disclosed ASP.NET machine keys from code documentation and repositories into their applications, Microsoft is warning.

The tech giant has issued an alert on the insecure practice, after observing threat actors in December using a static, known ASP.NET machine key to deploy the Godzilla post-exploitation cyberattack framework, known for stomping all over corporate environments.

The attack vector involves manipulating ViewState, which represents the state of a webpage when it was last processed on the server. If threat actors can get ahold of ASP.NET keys, they can craft a malicious ViewState, send it to a targeted website via a POST request to be loaded, and can thus compromise the environment via code injection.

"Once it's processed by ASP.NET Runtime on the targeted server, the ViewState is decrypted and validated successfully because the right keys are used," a Microsoft post on the concern explained. "The malicious code is then loaded into the worker process memory and executed, providing the threat actor remote code execution capabilities on the target IIS Web server."

Microsoft has uncovered at least 3,000 publicly disclosed keys that could be used for these types of attacks, which lowers the bar for exploitation significantly.

"Whereas many previously known ViewState code injection attacks used compromised or stolen keys that are often sold on Dark Web forums, these publicly disclosed keys could pose a higher risk because they are available in multiple code repositories and could have been pushed into development code without modification," according to the post.

To prevent attack, Microsoft recommends that organizations do not copy keys from publicly available sources and to regularly rotate keys in any event.