Microsoft threat researchers detected a ViewState code injection attack in December 2024, revealing a security vulnerability that could potentially be exploited by other malicious actors. The company cautioned that developers had unknowingly incorporated ASP.NET machine keys from publicly available sources, allowing threat actors to carry out harmful activities on targeted servers.
ASP.NET, an open-source web framework for creating modern web applications and APIs, utilizes ViewState to maintain page and control state between postbacks. This ViewState data is stored in a hidden field and encoded using Base64-encoding. To protect against tampering, ASP.NET employs machine keys: ValidationKey and DecryptionKey, which are either generated automatically or manually specified in configuration files.
These machine keys were exploited by attackers to create a malicious ViewState, which could be sent to target websites through a simple HTTP POST request. When processed by the ASP.NET Runtime on the server, the ViewState is decrypted and validated, allowing the malicious code to be executed, granting the threat actor remote code execution capabilities on the web server.
While these machine keys should remain confidential, Microsoft revealed that over 3,000 of them have been disclosed in various code repositories, potentially infiltrating development code. The December attack involved the deployment of the Godzilla post-exploitation framework/webshell, marking a limited breach.
Following the incident, Microsoft advised organizations against copying keys from public sources and urged them to regularly rotate keys for enhanced security. They also released a list of hash values for identified publicly disclosed machine keys and a script for organizations to verify if their environment’s machine keys are compromised.
In cases where exploitation of publicly disclosed keys is confirmed, Microsoft recommended thorough investigations and potentially reformatting and reinstalling web-facing servers to mitigate risks of further exploitation. This proactive approach is crucial to address any possible backdoors or persistence methods established by threat actors through compromised machine keys.
Ultimately, the discovery of the ViewState code injection attack underscores the importance of safeguarding machine keys and regularly updating security measures to prevent unauthorized access and potential breaches. Organizations are encouraged to stay vigilant, implement best practices, and prioritize cybersecurity to protect against evolving threats in the digital landscape.