Attackers compromise IIS servers by leveraging exposed ASP.NET machine keys
A ViewState code injection attack spotted by Microsoft threat researchers in December 2024 could be easily replicated by other attackers, the company warned.
“In the course of investigating, remediating, and building protections against this activity, we observed an insecure practice whereby developers have incorporated various publicly disclosed ASP.NET machine keys from publicly accessible resources, such as code documentation and repositories, which threat actors have used to perform malicious actions on target servers.”
The attack
ASP.NET is an open-source web framework for building modern, dynamic, and scalable web applications, services, and APIs.
“ViewState is the method by which ASP.NET Web Forms preserve page and control state between postbacks. ViewState data is stored in a hidden field on the page and is encoded using Base64-encoding,” Microsoft explained.
“To protect ViewState against tampering and information disclosure, the ASP.NET page framework uses machine keys: ValidationKey and DecryptionKey. ValidationKey is used to create a message authentication code (MAC) to be attached in the ViewState. DecryptionKey is related to the option of encrypting ViewState. These keys are either auto-generated and stored in registry or specified manually in [web.]config files.”
These machine keys can be used to craft a malicious ViewState, which can be sent to target websites via a simple HTTP POST request.
“When the request is processed by ASP.NET Runtime on the targeted server, the ViewState is decrypted and validated successfully because the right keys are used. The malicious code is then loaded into the worker process memory and executed, providing the threat actor remote code execution capabilities on the target IIS [Internet Information Services] web server [which is used to host and manage web applications, websites, and services on Windows servers].”
The machine keys are not meant to be public but, according to Microsoft, there are over 3,000 of them publicly disclosed in various code repositories and could have been pushed into development code.
The December attack was limited, and resulted in the threat actor loading and executing the fileless Godzilla post-exploitation framework / webshell.
ViewState code injection attack chain leading to Godzilla (Source: Microsoft)
What to do?
“Microsoft recommends that organizations do not copy keys from publicly available sources and to regularly rotate keys,” the company said.
They’ve also provided a list of hash values for identified publicly disclosed machine keys and a script organizations can use to check whether the machine keys in their environment are among them.
“If successful exploitation of publicly disclosed keys has occurred, rotating machine keys will not sufficiently address possible backdoors or persistence methods established by a threat actor or other post-exploitation activity, and additional investigation may be warranted. In particular, web-facing servers should be fully investigated and strongly considered for re-formatting and re-installation in an offline medium in cases where publicly disclosed keys have been identified, as these servers are most at risk of possible exploitation,” Microsoft added.