exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

wp-04-0001.txt

wp-04-0001.txt
Posted Sep 21, 2004
Authored by Paul Johnston | Site westpoint.ltd.uk

Westpoint Security Advisory wp-04-0001 - Multiple browsers are susceptible to multiple cookie injection vulnerabilities. Tested: Internet Explorer 6.0 for Windows 2000 with all patches, Konqueror 3.1.4 for SuSE 9.0, Mozilla Firefox 0.9.2 for Windows 2000, Opera 7.51 for Windows 2000.

tags | advisory, vulnerability
systems | linux, windows, suse
advisories | CVE-2004-0746, CVE-2004-0866, CVE-2004-0867, CVE-2004-0869, CVE-2004-0870, CVE-2004-0871, CVE-2004-0872
SHA-256 | 8fc149376018ed5107866eec1ab39898b97111216c66d313f39856eb9a5ec1d0

wp-04-0001.txt

Change Mirror Download
Westpoint Security Advisory
---------------------------

Title: Multiple Browser Cookie Injection Vulnerabilities
Risk Rating: Low
Software: Multiple Web Browsers
Platforms: Unix and Windows
Author: Paul Johnston <paul@westpoint.ltd.uk>
assisted by Richard Moore <rich@westpoint.ltd.uk>
Date: 15 September 2004
Advisory ID#: wp-04-0001
URL: http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt
CVE: Multiple assigned, see main text

Overview
--------

A design goal for cookies is to "prevent the sharing of session
information between hosts that are in different domains." It appears
current implementations are successful at allowing a domain to keep its
cookies private. However, multiple mechanisms have been discovered for
one domain to inject cookies into another. These could be used to
perform session fixation attacks against web applications.

Recommendations:
* Affected browsers be patched for these vulnerabilities.
* Web applications implement application layer mitigations for session
fixation attacks, as described in [2].

Tested:
Internet Explorer 6.0 for Windows 2000, all patches
Konqueror 3.1.4 for SuSE 9.0
Mozilla Firefox 0.9.2 for Windows 2000
Opera 7.51 for Windows 2000


Cross-Domain Cookie Injection
-----------------------------
Vulnerable:
Konqueror CAN-2004-0746
Internet Explorer CAN-2004-0866
Mozilla CAN-2004-0867
Not vulnerable:
Opera

By default, cookies are only sent to the host that issued them. There is
an optional "domain" attribute that overrides this behaviour. For
example, red.example.com could set a cookie with domain=.example.com.
This would then be sent to any host in the .example.com domain.

There is potential for abuse here, consider the case where
red.example.com sets a cookie with domain=.com. In principle this would
be sent to any host in the .com domain. However [1] requires browsers to
reject cookies where:

"The value for the Domain attribute contains no embedded dots"

This prevents a cookie being set with domain=.com. However, this does
not extend to country domains that are split into two parts. For
example, red.example.co.uk could set a cookie with domain=.co.uk and
this will be sent to all hosts in the .co.uk domain. Mozilla follows the
RFC exactly and is vulnerable to this. Konqueror and Internet Explorer
have some further protection, preventing domains of the following forms:

* Where the 2nd level domain is two or fewer characters, i.e. xx.yy or
x.yy
* Domains of the form (com|net|mil|org|gov|edu|int).yy

This does prevent .co.uk cross domain cookie injection but does not
protect all domains. For example, the following .uk domains are
unprotected:

.ltd.uk
.plc.uk
.sch.uk
.nhs.uk
.police.uk
.mod.uk

When testing with Opera, it appeared that browser always correctly
detected the domain. It is not immediately clear how Opera does this
check.

Example exploitation:
1) http://example.ltd.uk/ is identified for attack. It uses the "sid"
cookie to hold the session ID.
2) Attacker obtains attacker.ltd.uk domain
3) User is enticed to click link to http://attacker.ltd.uk/
4) This site sets the "sid" cookie with domain=.ltd.uk
5) When user logs into example.ltd.uk, they are using a sesion ID known
to the attacker.
6) Attacker now has a logged-in session ID and has compromised the
user's account.

Exploitation is dependent on the user clicking an untrusted link.
However, it is fundamental to the use of the web that we do sometimes
click untrusted links. This attack can happen regardless of the use of SSL.


Cross Security Boundary Cookie Injection
----------------------------------------
Vulnerable:
Internet Explorer CAN-2004-0869
Konqueror CAN-2004-0870
Mozilla CAN-2004-0871
Opera CAN-2004-0872

By default cookies are sent to all ports on the host that issued them,
regardless of whether SSL is in use. There is an optional "secure"
attribute that restricts sending to secure channels. This prevents
secure cookies leaking out over insecure channels. However, there is no
protection to prevent cookies set over a non-secure channel being
presented on a secure channel. In general to maintain proper boundaries
between security levels, it is necessary to defend against both attacks
- protecting both confidentiality and integrity.

Example exploitation:
1) https://example.com/ identified for attack, which uses "sid" cookie
as session ID.
2) User is enticed to click link to http://example.com/
3) By some mechanism the attacker intercepts this request and sets the
"sid" cookie
4) When user logs into https://example.com/ they are using a sesion ID
known to the attacker.
5) Attacker now has a logged-in session ID and has compromised the
user's account.

In addition to the user clicking an untrusted link, exploitation is
dependent on the attacker tampering with non-SSL network traffic. This
is a reasonable assumption as the purpose of SSL is to provide security
over an insecure network.


References
----------

[1] RFC2965 - HTTP State Management Mechanism
http://www.ietf.org/rfc/rfc2965.txt

[2] Session Fixation Vulnerability in Web-based Applications
http://www.acros.si/papers/session_fixation.pdf

[3] Persistent Client State - HTTP Cookies
http://www.netscape.com/newsref/std/cookie_spec.html

[4] Cookies and Cookie Handling in Opera 7 Explained
http://o.bulport.com/index.php?item=55


History
-------

16 July 2004 Vulnerabilities discovered

20 July 2004 Vendors informed

20 July 2004 Mozilla bug opened

http://bugzilla.mozilla.org/show_bug.cgi?id=252342

The discussion shows that the cross domain problem is a long standing
known bug. However, one contibutor claimed the exploit is being used in
the wild. Several fixes were suggested and it appears this bug will be
addressed soon.

No discussion of the SSL vs non-SSL problem.

21 July 2004 Opera respond

The response explains that they take the cross domain problem
seriously, and that they have solved it by doing a DNS lookup on the
specified domain. Some information is available in [4].

They also explained that they could not solve the cross security
boundary problem without breaking standards and existing web apps.

This problem has previously been reported as the "Cookie Monster bug"
http://www.securiteam.com/exploits/Cookie_Monster_vulnerability.html

23 July 2004 Konqueror respond

Explain that they intend to fix the cross domain problem by including a
list of ccTLDs that, like .uk, require 3 dots. The domain are:

name,ai,au,bd,bh,ck,eg,et,fk,il,in,kh,kr,mk,mt,na,
np,nz,pg,pk,qa,sa,sb,sg,sv,ua,ug,uk,uy,vn,za,zw

The brief discussion of the cross security boundary suggests they do
not consider it possible to solve at this time.

23 Aug 2004 KDE Security Advisory released

http://www.kde.org/info/security/advisory-20040823-1.txt

KDE issue an advisory stating the cross-domain problem is fixed in KDE
3.3. Patches are also available for older 3.x versions.

13 Sept 2004 Vendors notified of impending release

14 Sept 2004 CVE candidates assigned for other issues

15 Sept 2004 Microsoft respond

Best practice for web sites to resist session fixation attacks is to
change the session ID after authentication. They are looking at ways to
address this in the browser. As this may cause compatibility issues and
the issue is low risk, they have not commited to a timeline.

15 Sept 2004 Advisory published


Thanks
------

Many thanks to the vendors for their responses. Also, thanks to Steven
Christey for assigning CVE numbers.





--
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@westpoint.ltd.uk
web: www.westpoint.ltd.uk


Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    14 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close