Syhunt Advisory: CGILua session.lua Predictable Session ID Vulnerability

Advisory-ID: 201404301
Discovery Date: 03.27.2014
Release Date: 04.30.2014
Affected Applications: CGILua 5.0.x, CGILua 5.1.x., CGILua 5.2 alpha 1 &
CGILua 5.2 alpha 2
Class: Predictable Session ID
Status: Unpatched/Vendor informed
Vendor: CGILua project
Vendor URL: https://github.com/keplerproject/cgilua
Advisory URL: http://www.syhunt.com/advisories/?id=cgilua-weaksessionid

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following CVE to this vulnerability: CVE-2014-2875

----------------------------------------------------------------

Overview:
CGILua is an open source tool for creating dynamic Web pages and
manipulating input data from Web forms. It allows the separation
of logic and data handling from the generation of pages, making
it easy to develop web applications with the Lua programming
language.

Over the years the tool has been adopted by several
organizations worldwide, especially in Brazil where it has been
adopted by some high profile organizations.

Description:
A vulnerability in the session library that ships with CGILua
since version 5.0 beta may allow remote attackers to easily and
quickly guess valid session IDs generated by a Lua web
application and perform session hijacking - for example, gain
access to user sessions of various other logged-in users.

----------------------------------------------------------------

Details:

CGILua 5.2 alpha, released in 2013, generates weak/insufficiently
random session IDs (usually 9-digit long, sometimes shorter),
based on OS time.
Since an attacker can view the source on GitHub, he knows the
generation mechanism. In our attack simulations, we were able to
guess valid session IDs extremely quickly through brute-force
attacks.

CGILua 5.1.x (2007-2010) contains a bug and always generates the
same ID. Since this bug is easily noticeable and makes the
library unusable, we doubt that the version of the session
library included with this release is in production anywhere.

CGILua 5.0.x, released in 2004, generates sequential (non-random)
8-digit long session IDs, making guessing even more easy.

----------------------------------------------------------------

Vulnerability Status:

The project maintainers were initially contacted at the end of
March, 2014.

The maintainer Tomás Guisasola believes that the session IDs
generated by CGILua 5.0 and 5.2 are not insecure in its current
form and that enhancing the randomness of the SID would
not make it more secure.

The maintainer confirmed that the session ID generation in
CGILua 5.1 is buggy - always generates the same ID, thus is
unusable.

Because there is no patch for this vulnerability (the author
does not consider it a security risk and is unresponsive) we
recommend that users simply do not use CGILua's session.lua
library until hopefully there is a patch issued to remedy this.

According to the CGILua changelog, the session API was
introduced in version 5.0 beta, therefore older versions, like
5.0 alpha, 4.x and before don't include the session.lua
library and should not be marked as vulnerable to this
particular issue.

In case you wish to manually patch the session library, consider
using the luuid library, which generates 128-bit random IDs, as
part of the fix, or any other Lua library that can generate
unique IDs based on high-quality randomness. After patching
(either with an official patch or your own patch), it is
necessary to remove/invalidate all sessions generated by the
old, unpatched code.

----------------------------------------------------------------

Disclosure Timeline:

* March 27, 2014 - Emailed the maintainers about the need of
hardening CGILua.
* April 2, 2014 - No reply. Emailed the maintainer once again.
* April 2, 2014 - First maintainer reply (see Vulnerability Status
above for details).
* April 4, 2014 - Syhunt sends information about recommended
SID length and entropy
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Length
* April 13, 2014 - Syhunt sends details about its own
demonstration tool that is able to guess CGILua session IDs, along
with additional comments in a separate email.
* April 30, 2014 - No response received to emails sent on April 4 & 13.
* April 30, 2014 - Public disclosure.

----------------------------------------------------------------

Credit:
Felipe Daragon
Syhunt Security Research Team, www.syhunt.com

We thank James Mouat, which performed some additional tests,
helping with the diagnosis of this issue.

----

Copyright © 2014 Syhunt Security

Disclaimer:
The information in this advisory is provided "as is" without
warranty of any kind. Details provided are strictly for
educational and defensive purposes.

Syhunt is not liable for any damages caused by direct or
indirect use of the information provided by this advisory.