SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
Opera Bug in Sending Non-Secure Cookies via SSL May Let Remote Users Conduct Session Fixation Attacks
SecurityTracker Alert ID:  1011329
SecurityTracker URL:  http://securitytracker.com/id/1011329
CVE Reference:   CAN-2004-0872   (Links to External Site)
Date:  Sep 16 2004
Impact:   Modification of authentication information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 7.51
Description:   A vulnerability was reported in Opera. A remote user may be able to set cookies on via a non-secure server to be sent to a secure server as part of a session fixation attack.

Westpoint Security reported that the browser may send non-secure cookies (i.e., those set via HTTP) to the server via SSL. A remote user with the ability to spoof connections or conduct a man-in-the-middle attack may be able to set a cookie on the target user's browser that will subsequently be sent by the target user's browser to a secure server as part of a session fixation attack.

This flaw may allow remote users to conduct session fixation attacks to hijack a target user's session. A paper on session fixation attacks is available at:

http://www.acros.si/papers/session_fixation.pdf

The vendor was notified on July 20, 2004.

The original advisory is available at:

http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt

Impact:   A remote user may be able to set cookies via a non-secure server to be sent by the target user's browser to a secure server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.opera.com/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:   Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Thu, 16 Sep 2004 11:00:37 -0400
Subject:  http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt


Westpoint Security Advisory
---------------------------

Title:        Multiple Browser Cookie Injection Vulnerabilities
Risk Rating:  Low
Software:     Multiple Web Browsers
Platforms:    Unix and Windows
Author:       Paul Johnston <paul@westpoint.ltd.uk>
              assisted by Richard Moore <rich@westpoint.ltd.uk>
Date:         15 September 2004
Advisory ID#: wp-04-0001
URL:          http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt
CVE:          Multiple assigned, see main text

Overview
--------

A design goal for cookies is to "prevent the sharing of session
information between hosts that are in different domains." It appears
current implementations are successful at allowing a domain to keep its
cookies private. However, multiple mechanisms have been discovered for one
domain to inject cookies into another. These could be used to perform
session fixation attacks against web applications.

Recommendations:
  * Affected browsers be patched for these vulnerabilities.
  * Web applications implement application layer mitigations for session
    fixation attacks, as described in [2].

Tested:
  Internet Explorer 6.0 for Windows 2000, all patches
  Konqueror 3.1.4 for SuSE 9.0
  Mozilla Firefox 0.9.2 for Windows 2000
  Opera 7.51 for Windows 2000


Cross-Domain Cookie Injection
-----------------------------
Vulnerable:
  Konqueror             CAN-2004-0746
  Internet Explorer     CAN-2004-0866
  Mozilla               CAN-2004-0867
Not vulnerable:
  Opera

By default, cookies are only sent to the host that issued them. There is
an optional "domain" attribute that overrides this behaviour. For example,
red.example.com could set a cookie with domain=.example.com. This would
then be sent to any host in the .example.com domain.

There is potential for abuse here, consider the case where red.example.com
sets a cookie with domain=.com. In principle this would be sent to any
host in the .com domain. However [1] requires browsers to reject cookies
where:

  "The value for the Domain attribute contains no embedded dots"

This prevents a cookie being set with domain=.com. However, this does not
extend to country domains that are split into two parts. For example,
red.example.co.uk could set a cookie with domain=.co.uk and this will be
sent to all hosts in the .co.uk domain. Mozilla follows the RFC exactly
and is vulnerable to this. Konqueror and Internet Explorer have some
further protection, preventing domains of the following forms:

  * Where the 2nd level domain is two or fewer characters, i.e. xx.yy or
    x.yy
  * Domains of the form (com|net|mil|org|gov|edu|int).yy

This does prevent .co.uk cross domain cookie injection but does not
protect all domains. For example, the following .uk domains are
unprotected:

  .ltd.uk
  .plc.uk
  .sch.uk
  .nhs.uk
  .police.uk
  .mod.uk

When testing with Opera, it appeared that browser always correctly
detected the domain. It is not immediately clear how Opera does this
check.

Example exploitation:
  1) http://example.ltd.uk/ is identified for attack. It uses the "sid"
     cookie to hold the session ID.
  2) Attacker obtains attacker.ltd.uk domain
  3) User is enticed to click link to http://attacker.ltd.uk/
  4) This site sets the "sid" cookie with domain=.ltd.uk
  5) When user logs into example.ltd.uk, they are using a sesion ID known
     to the attacker.
  6) Attacker now has a logged-in session ID and has compromised the
     user's account.

Exploitation is dependent on the user clicking an untrusted link. However,
it is fundamental to the use of the web that we do sometimes click
untrusted links. This attack can happen regardless of the use of SSL.


Cross Security Boundary Cookie Injection
----------------------------------------
Vulnerable:
  Internet Explorer     CAN-2004-0869
  Konqueror             CAN-2004-0870
  Mozilla               CAN-2004-0871
  Opera                 CAN-2004-0872

By default cookies are sent to all ports on the host that issued them,
regardless of whether SSL is in use. There is an optional "secure"
attribute that restricts sending to secure channels. This prevents secure
cookies leaking out over insecure channels. However, there is no
protection to prevent cookies set over a non-secure channel being
presented on a secure channel. In general to maintain proper boundaries
between security levels, it is necessary to defend against both attacks -
protecting both confidentiality and integrity.

Example exploitation:
  1) https://example.com/ identified for attack, which uses "sid" cookie
     as session ID.
  2) User is enticed to click link to http://example.com/
  3) By some mechanism the attacker intercepts this request and sets the
     "sid" cookie
  4) When user logs into https://example.com/ they are using a sesion ID
     known to the attacker.
  5) Attacker now has a logged-in session ID and has compromised the
     user's account.

In addition to the user clicking an untrusted link, exploitation is
dependent on the attacker tampering with non-SSL network traffic. This is
a reasonable assumption as the purpose of SSL is to provide security over
an insecure network.


References
----------

[1] RFC2965 - HTTP State Management Mechanism
    http://www.ietf.org/rfc/rfc2965.txt

[2] Session Fixation Vulnerability in Web-based Applications
    http://www.acros.si/papers/session_fixation.pdf

[3] Persistent Client State - HTTP Cookies
    http://www.netscape.com/newsref/std/cookie_spec.html

[4] Cookies and Cookie Handling in Opera 7 Explained
    http://o.bulport.com/index.php?item=55


History
-------

16 July 2004      Vulnerabilities discovered

20 July 2004      Vendors informed

20 July 2004      Mozilla bug opened

  http://bugzilla.mozilla.org/show_bug.cgi?id=252342

  The discussion shows that the cross domain problem is a long standing
  known bug. However, one contibutor claimed the exploit is being used in
  the wild. Several fixes were suggested and it appears this bug will be
  addressed soon.

  No discussion of the SSL vs non-SSL problem.

21 July 2004      Opera respond

  The response explains that they take the cross domain problem seriously,
  and that they have solved it by doing a DNS lookup on the specified
  domain. Some information is available in [4].

  They also explained that they could not solve the cross security
  boundary problem without breaking standards and existing web apps.

  This problem has previously been reported as the "Cookie Monster bug"
  http://www.securiteam.com/exploits/Cookie_Monster_vulnerability.html

23 July 2004      Konqueror respond

  Explain that they intend to fix the cross domain problem by including a
  list of ccTLDs that, like .uk, require 3 dots. The domain are:

    name,ai,au,bd,bh,ck,eg,et,fk,il,in,kh,kr,mk,mt,na,
    np,nz,pg,pk,qa,sa,sb,sg,sv,ua,ug,uk,uy,vn,za,zw

  The brief discussion of the cross security boundary suggests they do not
  consider it possible to solve at this time.

23 Aug 2004       KDE Security Advisory released

  http://www.kde.org/info/security/advisory-20040823-1.txt

  KDE issue an advisory stating the cross-domain problem is fixed in KDE
  3.3. Patches are also available for older 3.x versions.

13 Sept 2004      Vendors notified of impending release

14 Sept 2004      CVE candidates assigned for other issues

15 Sept 2004      Microsoft respond

  Best practice for web sites to resist session fixation attacks is to
  change the session ID after authentication. They are looking at ways to
  address this in the browser. As this may cause compatibility issues and
  the issue is low risk, they have not commited to a timeline.

15 Sept 2004      Advisory published


Thanks
------

Many thanks to the vendors for their responses. Also, thanks to Steven
Christey for assigning CVE numbers.
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC