On February 6, 2025, Microsoft revealed a major security issue involving over 3,000 publicly exposed ASP.NET machine keys. These keys, meant to protect web applications, had been inadvertently shared in public repositories, creating a significant risk of remote code execution (RCE) attacks. Exploiting these exposed machine keys, attackers took advantage of the ASP.NET ViewState mechanism to inject and execute arbitrary code on vulnerable servers.
What are ASP.NET Machine Keys?
In ASP.NET applications, machine keys are pivotal for ensuring data integrity and confidentiality. They are employed to sign and encrypt various data structures, including:
- ViewState – Prevents tampering with ViewState, which maintains UI state across postbacks
- Forms Authentication Tickets – Manages user authentication sessions.
- Cookies – Prevents modification of authentication and session cookies.
Machine keys are typically configured in the web.config file:
By default, ASP.NET can generate these keys automatically. However, in multi-server environments, administrators often hardcode the keys for consistency across servers. Unfortunately, mismanagement of these keys can lead to severe security risks if they are publicly disclosed.
What Happened?
In December 2024, Microsoft’s Threat Intelligence team identified a wave of attacks where publicly available ASP.NET machine keys were used for malicious code injection. Threat actors exploited these keys to forge cryptographic tokens, manipulate ViewState, and execute arbitrary code on web servers.
The attackers leveraged over 3,000 publicly disclosed machine keys, found in:
- Open-source repositories (GitHub, GitLab, Bitbucket)
- Public forums (Stack Overflow, Pastebin, coding blogs)
- Exposed configuration backups and logs
Instead of relying on complex exploits, attackers used pre-existing machine keys to execute arbitrary commands on servers running misconfigured ASP.NET applications.
How It Happened?
1 – Discovery of Publicly Exposed Machine Keys – Attackers collected ASP.NET machine keys from publicly accessible sources, such as:
- GitHub repositories where developers accidentally hardcoded machine keys.
- Stack Overflow discussions where users shared their web.config settings.
- Configuration backups left in publicly accessible folders.
- Leaks from previous breaches where machine keys were exposed.
2 – ViewState Exploitation – One of the primary attack vectors was exploiting ASP.NET ViewState deserialization:
ViewState Signing and Encryption
- ViewState is signed using the machine key to prevent tampering.
- If an attacker knows the machine key, they can generate their own signed ViewState payloads.
Crafting a Malicious ViewState Payload
- Attackers used tools to create a serialized .NET object payload containing malicious commands.
- This payload was encrypted and signed using the stolen machine key.
Injecting the Malicious ViewState
- Attackers submitted the ViewState payload via an HTTP POST request.
- Since the payload was correctly signed, the application trusted and deserialized it, leading to remote code execution (RCE).
Deploying the Godzilla Webshell
- Attackers used this RCE method to deploy Godzilla, a webshell that allowed persistent access.
Once installed, the webshell enabled:
- Command execution on the server.
- File uploads/downloads for data exfiltration.
- Credential theft and lateral movement within the network.
Recommendations
1. Secure Machine Key Storage
- Use secure key management solutions.
- Store keys in environment variables rather than configuration files.
2. Enable ViewState Encryption
- Set ViewStateEncryptionMode=”Always” to prevent attackers from tampering with ViewState.
3. Disable Insecure ViewState Mac Validation
- If ViewState is not needed, disable it completely by setting:
4. Regularly Audit Your Applications
- Periodically review your web.config files for exposed secrets.
- Perform static code analysis to detect hardcoded credentials.
5. Use Unique Machine Keys
- Never use default or publicly available machine keys. Each application should have a distinct machine key.
6. Keep ASP.NET Framework Updated
- Ensure your applications run on the latest version of .NET.
- Apply all Microsoft security patches.
Conclusion
The exposure of ASP.NET machine keys, whether through public disclosure or inadequate security practices, presents a significant threat to web application security.
By understanding the mechanics of these vulnerabilities and implementing robust security measures, developers can protect their applications from potential code injection attacks.
