All posts by Sebastian Solnica

About Sebastian Solnica

My name is Sebastian Solnica and I work as a System Engineer. I am deeply interested in debugging, profiling and application security (mainly .NET and Windows). I have also published some OSS projects, usually small, command line tools, aimed at helping diagnose various problems in applications. You may find them on my GitHub page: https://github.com/lowleveldesign.

Wtrace 2.2


On the occasion of releasing wtrace 2.2, I decided to write a short post about new functionalities I added to this tool in the recent months. I hope you will find them interesting. Wtrace is a command line application which collects ETW traces from the system and the selected processes and outputs them to the console. It is very simple to use and runs on Windows 7+. Currently, it supports the collection of File I/O, TCP, ALPC, RPC, ISR, DPC, and PowerShell events.

Continue reading Wtrace 2.2

Performing Padding Oracle Attack from PowerShell


In the previous post we created a sample ASP.NET application, which performs encryption in an old, unsecured way (without signature). Its source code is available in my blog samples repository. To run the application execute the runiis.bat file – you must have IIS Express installed on your machine. If everything starts correctly you should see in your browser this beautiful page:

padding-oracle-website

Continue reading Performing Padding Oracle Attack from PowerShell

Case of Unresolvable IPv4 Addresses in IIS


One of my colleagues at work was struggling with a peculiar problem on his machine. Whenever he tried to access the address of his test project: http://my.project:8080 he was getting connection refused error (my.project points to 127.0.0.1 in the hosts file). The same error appeared when we opened the http://127.0.0.1:8080 address:

chrome-error-localhost

Continue reading Case of Unresolvable IPv4 Addresses in IIS

Extracting Service Principal Credentials in VSTS


When we need to deploy an application to Azure from VSTS (Visual Studio Team Services), we use the Azure tasks prepared by Microsoft. These tasks require a contributor account in Azure AD to make changes to your subscription. As this account is not a regular user account but an application account we call it a Service Principal. A very basic build pipeline might look as follows:

vsts-appservice-buildpipeline

The “Azure App Service Deploy” task is an example of a task that will use a Service Principal account to update your App Service in Azure. VSTS makes it easy to create the Service Principal account; it also automatically assigns a contributor role in your subscription to this newly created account. When you want to have full control over your Azure AD you may manually create an App Registration (another name for the Service Principal) in the portal and give it the required rights. You will also need a key to authenticate the service in Azure:

vsts-appregistration

In the next step, you create a new Azure Resource Manager Service Endpoint, providing all the collected information:

Continue reading Extracting Service Principal Credentials in VSTS

Forcing ASP.NET to encrypt like five years ago


While preparing slides and demos for the upcoming BSides Warsaw conference, I spent some time digging through the code of the old ASP.NET Crypto stack. In case you do not remember, six years ago researchers reported multiple cryptographic design flaws in ASP.NET. One of the critical issues was that ASP.NET did not authenticate ciphertexts. Thus they were vulnerable to the padding oracle attack. Microsoft learned its lesson and rewrote the crypto stack in ASP.NET 4.5. If you want to find out more, have a look at those three excellent articles by Levi Broderick: Part 1, Part 2, Part 3. As I plan to demo the padding oracle attack during my presentation I wanted to restore the old behavior using the latest version of the ASP.NET framework. In this post, I am presenting how I achieved that. But to watch the live demo, I invite you to come to my presentation at 10:00, Saturday, October 14th :).

Continue reading Forcing ASP.NET to encrypt like five years ago

SQL Server Always Encrypted


Always Encrypted is a feature of the SQL Server 2016/Azure SQL which allows you to take full control over the encryption process of the sensitive data stored in your SQL databases. Thanks to this mechanism the encryption key is stored only on the client side and is never revealed to the SQL Server. In consequence, data traveling from the server to the client is also encrypted (although I would not rely too much on this fact and always use encrypted connections to the SQL Server). That is a very different approach to Transparent Data Encryption or Cell-level Encryption, in which it is the server role to encrypt/decrypt data received/sent to the client. Server-side encryption is completely transparent to the client and does not impact the way the client builds SQL queries. In Always Encrypted model, any query against an encrypted column will perform comparisons on byte arrays of cipher text. As you can imagine this raises some challenges when building a data model. In this post, I am going to cover some details of how the Always Encrypted feature is implemented and, hopefully, help you use it effectively.

Continue reading SQL Server Always Encrypted

Decrypting TFS secret variables


Each build and release definition in TFS has a set of custom variables assigned to it. Those variables are later used as parameters to PowerShell/batch scripts, configuration file transformations, or other tasks being part of the build/release pipeline. Accessing them from a task resembles accessing process environment variables. Because of TFS detailed logging, it is quite common that values saved in variables end up in the build log in a plain text form. That is one of the reasons why Microsoft implemented secret variables.

The screenshot below presents a TFS build configuration panel, with a sample secret variable amiprotected set (notice the highlighted padlock icon on the right side of the text box):

tfssv_secret-variable

Once the secret variable is saved, it is no longer possible to read its value from the web panel (when you click on the padlock, the text box will be cleared).

And this is how the output log looks like if we pass the secret variable to a PowerShell script and print it:

tfssv_masked-log

Let’s now have a look where and how the secret variables are stored.

Continue reading Decrypting TFS secret variables