what you don't know can hurt you

Tornado 1.0 Insecure Cookie

Tornado 1.0 Insecure Cookie
Posted Aug 17, 2010
Authored by Nam Nguyen | Site bluemoon.com.vn

Tornado version 1.0 suffers from an insecure cookie vulnerability.

tags | advisory, insecure cookie handling
MD5 | d70eb4e7256eaef573219f08319b7dd0

Tornado 1.0 Insecure Cookie

Change Mirror Download
BLUE MOON SECURITY ADVISORY 2010-01
===================================


:Title: Insecure secure cookie in Tornado
:Severity: Low
:Reporter: Blue Moon Consulting
:Products: Tornado v1.0
:Fixed in: Tornado v1.0.1


Description
-----------

Tornado is an open source version of the scalable, non-blocking web server and tools that power FriendFeed.

A secure cookie in Tornado is stored in three parts, separated by a pipe sign (``|``)

::

<value>|<timestamp>|<hmac>

where:

<value>
is the cookie's value encoded in Base64, which does use the digits 0 to 9.

<timestamp>
is ``str(int(time.time()))``.

<hmac>
is the keyed hash value of <value> and <timestamp> concatenated.

The problem is ``get_secure_cookie`` only checks for expired timestamp and the <hmac> does not take into account the separator character. An attacker, therefore, can move the pipe sign to the left by 4-character blocks to create another valid cookie, whose timestamp is in the far future, and value truncated by 3 characters.

This vulnerability is rated at low severity due to situational exploiting conditions.

Workaround
----------

There is no workaround.

Fix
---

Customers are advised to upgrade to at least version 1.0.1.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

:Initial vendor contact:

August 13, 2010: Notice sent to Ben Darnell.

:Vendor response:

August 13, 2010: Ben replied confirming the bug.

:Further communication:

August 13, 2010: Ben added that the attacker would have to shift by 4 digits due to Base64 encoding.

August 13, 2010: Ben added that version 1.0.1 would have a timestamp check.

:Public disclosure: August 16, 2010

:Exploit code:

No exploit code required.

Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.


--
Nam Nguyen, CISA, CISSP, CSSLP
Blue Moon Consulting Co., Ltd
http://www.bluemoon.com.vn

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    3 Files
  • 17
    Mar 17th
    1 Files
  • 18
    Mar 18th
    15 Files
  • 19
    Mar 19th
    1 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close