- ViewState code injection attacks can lead to remote code execution, Microsoft warned
- Many developers are not generating their own views for viewstate
- There are thousands of publicly available keys that cybercriminals can use
Cybercriminals are abusing a weakness on ASP.NET websites to remotely execute malicious code, according to Microsoft’s intelligence team, which has published an in -depth analysis of the new method.
In the article, Microsoft explained that threat actors injected malicious code through a method called ViewState code injection attacks.
ViewState is a feature on ASP.NET websites that helps remember the user’s entry and page configuration when the page is updated. Store this information in a hidden part of the website so that when the user interacts again with the page, he can reload the data saved without losing anything.
Accept malicious code
As a result, many developers are using machine keys (safety codes designed to protect the viewstate data from the website) that find online, instead of generating their own. These machine keys are intended to avoid viewstate manipulation, which tracks the data on the web pages as users interact with them.
However, if developers can find these keys, criminals can also. When they do, they can use them to inject harmful content in the viewstate of a website. Because the machine’s key is the same as the website, the server decipher and process the malicious code, allowing attackers to execute their own commands on the server. This can lead to remote code execution, Microsoft warned.
The researchers found more than 3,000 publicly revealed keys that can be used in these attacks. In some cases, the researchers added, developers could also push these public keys to their code as well.
To avoid these attacks, Microsoft advises developers to generate their own machine keys, avoid the use of default or available confidential data to encrypt parts of their configuration files.
It is also recommended to update to a newer version of ASP.NET, as well as the use of security characteristics such as the antimalware scan interface (AMSI).
Microsoft also provided instructions on how to delete or replace the keys to the insecure of the server configuration files and eliminate examples of these keys to their public documentation to discourage insecure practice.
