PRP: ASP.NET Known Machine Key Detection (Known Cryptographic Secrets)

[cybrdude]

---

Vulnerability

Identifier: Publicly disclosed ASP.NET Machine Keys enabling RCE via ViewState deserialization

Related advisories:

• Microsoft Security Blog (Feb 6, 2025): Code injection attacks using publicly disclosed ASP.NET machine keys

Affected software: Any ASP.NET Web Forms application using a publicly known Machine Key (validation key and/or decryption key)

Type of vulnerability: Remote Code Execution (unauthenticated)

Requires authentication: No

Severity: CRITICAL — CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Description

ASP.NET applications protect ViewState integrity using Machine Keys defined in web.config. Developers frequently copy these keys from documentation, tutorials, code samples, and public repositories. Microsoft confirmed in their February 2025 advisory that attackers are actively exploiting this — possession of the Machine Key allows forging malicious ViewState payloads that trigger arbitrary deserialization, resulting in unauthenticated remote code execution.

There are 3,772 publicly known Machine Key pairs collected from internet sources. The detection approach is to parse __VIEWSTATE and __VIEWSTATEGENERATOR values from HTTP responses and cryptographically validate the ViewState MAC against this key database. A successful MAC validation mathematically proves the specific key is in use — zero false positives.

Detection approach

1. Target web service is identified during Tsunami reconnaissance
2. Plugin fetches web pages and parses __VIEWSTATE + __VIEWSTATEGENERATOR hidden fields from HTML
3. For each page with a ViewState, validates the MAC/encryption against the known key database
4. A cryptographic match confirms the exact key in use → report CRITICAL finding

This requires cryptographic validation (HMAC-SHA256/SHA512, AES-CBC decryption, .NET-specific key derivation) against a large key database — not expressible as a simple HTTP request/response pattern. I propose implementing this as a Python plugin using the BadSecrets library, which provides pure-Python implementations of ASP.NET ViewState MAC verification with a comprehensive key database.

Language: Python (justified: cryptographic validation logic cannot be expressed in the templated plugin format)

Reproduction

# 1. Deploy any ASP.NET Web Forms application
# 2. Set a known Machine Key in web.config, e.g.:
#    <machineKey
#      validationKey="FBF50941F22D6A3B229EA593F24C41203DA6837F1122EF17..."
#      decryptionKey="1EE23B5A8..."
#      validation="SHA1" decryption="AES" />
# 3. Visit any page with a <form> — it will contain __VIEWSTATE in the HTML
# 4. The detector parses the ViewState and validates against the known key database
# 5. Match → CRITICAL: known Machine Key confirmed in use

References

• Microsoft advisory (Feb 2025)
• ASP.NET Cryptography for Pentesters