[18129] in bugtraq
Re: cache cookies?
daemon@ATHENA.MIT.EDU (Nick Lamb)
Mon Dec 18 17:22:33 2000
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="6TrnltStXW4iwmi0"
Content-Disposition: inline
Message-Id: <20001215205217.C20791@ecs.soton.ac.uk>
Date: Fri, 15 Dec 2000 20:52:17 +0000
Reply-To: Nick Lamb <njl98r@ECS.SOTON.AC.UK>
From: Nick Lamb <njl98r@ECS.SOTON.AC.UK>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3A387188.DD6441FB@e-softinc.com>; from reinke@E-SOFTINC.COM on
Thu, Dec 14, 2000 at 02:06:48AM -0500
--6TrnltStXW4iwmi0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Dec 14, 2000 at 02:06:48AM -0500, Thomas Reinke wrote:
> Actually, it *does* work. We have on our site a
> working demonstration of the exploit, showing whether or not
> you've visited one or more of more than 80 different well known
> sites. The URL is
>=20
> http://www.securityspace.com/exploit/exploit_2a.html
Not very impressive. Mozilla M18 showed very poor results, spotting
only one of the sites I had visited (out of a dozen or so), and
on subsequent loads after visiting more sites it reported "Cache hit"
for everything. Tests with other sites, with a fresh browser config,
on different systems, revealed that test results stayed low, sometimes
zero effectiveness, usually less than 50%.
To collect each "bit" of info the browser opened ports to servers
quite unrelated to the request, causing Cookie warning pop-ups for
sites I've never heard of. In a medium-paranoid setting this was
setting off more flashing lights than our local Christmas display.
If someone started using this on the public it would be detected
quickly, and while it's difficult to really defeat (which might make
it attractive to some organisations) it would also be very hard to
maintain, because it relies on understanding the site design of each
target to get a "good" cache cookie.
Only one "attacker" can use it on the net safely, because using it on
someone once effectively "immunises" them against further attack
for an indefinite period of time. Defense means hitting "flush cache"
after visiting disreputable or embarassing sites.
> That is actually trivial to bypass through a simple flag that
> indicates what has and has not been checked.
Where would you store this flag? In a Cookie?
Nick.
--6TrnltStXW4iwmi0
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6OoSAJL0BVnQb59gRAtZVAKDQGLp9b9pbh8HV5dwpufyzofgPmwCgluJm
yOPqEi6MYOzG0iIR6K1Zqik=
=cksr
-----END PGP SIGNATURE-----
--6TrnltStXW4iwmi0--
