1

In this advisory concerning the oracle padding exploit, Microsoft posted the following recommended error page:

<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>

<script runat="server">
        void Page_Load() {
        byte[] delay = new byte[1];
        RandomNumberGenerator prng = new RNGCryptoServiceProvider();

        prng.GetBytes(delay);
        Thread.Sleep((int)delay[0]);

        IDisposable disposable = prng as IDisposable;
        if (disposable != null) { disposable.Dispose(); }
    }
</script>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
</head>
<body>
    <div>
        An error occurred while processing your request.
    </div>
</body>
</html>

What's with the Thread.Sleep for some value between 0-255? I don't want my server threads tied up for up to quarter of a second.

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
spender
  • 117,338
  • 33
  • 229
  • 351

1 Answers1

3

The reason is to alter the timing of the result. By making the return take a variable amount of time, you can't use the timing of the error return to determine the reason for failure, which is the approach that is used for the attack

Anya Shenanigans
  • 91,618
  • 3
  • 107
  • 122
  • OK, but couldn't the page then be used as a vector to exhaust your server of threads? – spender Sep 26 '10 at 20:58
  • @spender: No, not more than any other page. It's normal for a page to wait for something as part of the rendering, for example a database result. Waiting for nothing isn't more expensive. – Guffa Sep 26 '10 at 21:06
  • Given that this is all from 2010, and it's now 2012, has this vulnerability been fixed or should we leave the workaround as-is? – Tom Robinson Feb 07 '12 at 10:05
  • Based on the information on http://technet.microsoft.com/en-us/security/bulletin/MS10-070 - it was addressed in an update for all supported releases. – Anya Shenanigans Feb 07 '12 at 13:15