Full Disclosure mailing list archives
Re: The Misfortune Cookie Vulnerability
From: Shahar Tal <shahartal () checkpoint com>
Date: Fri, 19 Dec 2014 09:12:21 +0000
Hi Sandro, As I commented before, we are bound by policy that is out of my personal reach at the moment. I can tell you, however, that when any independent researcher looks into the HTTP cookie parsing function in the RomPager 4.07 binary, his bounds will not be checked. Cheers, Shahar From: Sandro Gauci [mailto:sandro () enablesecurity com] Sent: יום ו 19 דצמבר 2014 09:57 To: Michal Zalewski Cc: Shahar Tal; fulldisclosure () seclists org Subject: Re: [FD] The Misfortune Cookie Vulnerability The most technical it seems to get is the following: <quote> The Misfortune Cookie vulnerability is exploitable due to an error within the HTTP cookie management mechanism present in the affected software, allowing an attacker to determine the ‘fortune’ of a request by manipulating cookies. Attackers can send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application state. This, in effect, can trick the attacked web server to treat the current session with administrative privileges. </quote> From http://mis.fortunecook.ie/misfortune-cookie-tr069-protection-whitepaper.pdf. Would be very useful for the rest of us if this information were less of an advert and more technical. Shahar, are there plans to release proper technical details? Sandro Gauci Penetration tester and security researcher Email: sandro () enablesecurity com<mailto:sandro () enablesecurity com> Web: http://enablesecurity.com/ PGP: 8028 D017 2207 1786 6403 CD45 2B02 CBFE 9549 3C0C On Fri, Dec 19, 2014 at 6:56 AM, Michal Zalewski <lcamtuf () coredump cx<mailto:lcamtuf () coredump cx>> wrote:
See http://mis.fortunecook.ie for the rest.
I think you might have accidentally pasted the wrong link. This one doesn't seem to contain additional information. Cheers, /mz _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ Email secured by Check Point. _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- The Misfortune Cookie Vulnerability Shahar Tal (Dec 18)
- Re: The Misfortune Cookie Vulnerability Michal Zalewski (Dec 18)
- Re: The Misfortune Cookie Vulnerability Sandro Gauci (Dec 22)
- Re: The Misfortune Cookie Vulnerability Shahar Tal (Dec 22)
- Re: The Misfortune Cookie Vulnerability Shahar Tal (Dec 22)
- Re: The Misfortune Cookie Vulnerability Jon Hart (Dec 23)
- Re: The Misfortune Cookie Vulnerability Sandro Gauci (Dec 22)
- Re: The Misfortune Cookie Vulnerability Gynvael Coldwind (Dec 22)
- Re: The Misfortune Cookie Vulnerability Michal Zalewski (Dec 18)