Microsoft released advisory 2416728 on Friday after researchers Thai Duong
and Juliano Rizzo demonstrated the attack on ASP.NET with their Padding
Oracle Exploit Tool. The attack itself preys on a bug in ASP.NET’s AES
implementation, which you can read about over here at threatpost. So
what’s the reward for a successful attack? It’s not going to allow the
attacker to execute code or elevate rights, but it does all the attacker to
read potentially sensitive data that could then be further used to compromise
The mitigation for this attack is to obfuscate the server errors by ensuring
that no matter what the error, the same error page is returned. This can be
done manually in your configurations by addressing the section
of the web.config file, or, you can mitigate centrally at your web farm’s
front door with (of course!) an iRule.
I got a request yesterday morning to asking if there was a way to drop HTTP
requests if a certain number was referenced in the Accept-Language header.
The user referenced this post on Exploring Binary.
The number, 2.2250738585072012e-308, causes the Java runtime and compiler to
go into an infinite loop when converting it to double-precision binary
floating-point. Not good. Twitter is ablaze on the issue, and there is a
good discussion thread on Hacker News as well. So how do you stop it?
At first, this appeared to be a no-brainer, just copy that string and drop if
found in that... (more)
DevCentral has many rock star contributors. Most are not affiliated
officially with F5 Networks, or DevCentral for that matter, but there are
several F5ers who believe in the community, and really believe in the F5
story. One of those F5ers is Matt Cauthorn, or as you know him in the
community, L4L7. You may recognize Matt as the author of pyControl. Well,
not only did he provide this entrance to a better iControl experience, he has
also delivered in a major way with his Vim plugin for editing iRules
(utilizing pyControl of course to make those calls to BIG-IP). I had toyed ... (more)
Virtualization Expo on Ulitzer
If you haven’t yet downloaded the BIG-IP LTM VE trial, I highly suggest
you do. It is a fully-functional LTM, rate-limited to 1Mbps throughput.
If you’re not familiar with virtualized environments, hopefully this blog
will fill in some blanks for how to get started on the network front.
Before downloading your VE image, you need to choose what virtualization
environment you’re installing into. The supported options in the type 1
hypervisor are VMWare ESX version 4 and ESXi version 4. For the type 2
hypervisor (requiring a host O... (more)
It's not an uncommon problem trying to figure out where to plant that sorry
page in the event your farm is down. It's also not an uncommon solution to
just use your BIG-IP to issue a text-only HTTP::respond. It works, but it's
not, how do you say, visually appealing? You want to say sorry and mean
it. With pictures. If you take a stroll through the iRules codeshare,
you'll notice several solutions to this problem. All of them work, with a
variety of methods, but user kirkbauer's entry takes it to another level.
Kirk's sorry page irule generator (written in perl) takes all ... (more)