Full Disclosure mailing list archives

The Misfortune Cookie Vulnerability

From: Shahar Tal <shahartal () checkpoint com>
Date: Thu, 18 Dec 2014 14:00:13 +0000

Hey there,

Recently our group has uncovered a serious vuln in RomPager - the most popular web server in the world, found in 
millions of embedded devices (mostly residential gateways / SOHO routers), which unfortunately allows gaining admin 
access to the router from the WAN (port 80 access not required! 7547 works like a charm).

This is not the "rom-0" vulnerability revealed earlier this year. In fact, it's about an order of magnitude worse - 
IPv4 scans show at least 12 million readily exploitable endpoints. Shodan it yourself later.

We call it "Misfortune Cookie" over the affected vulnerable HTTP cookie parsing module, but MITRE insists on 
CVE-2014-9222 (CVSS score, for those of you keeping count, is 9.7).

See http://mis.fortunecook.ie for the rest.

Cheers,

Shahar Tal
Malware & Vulnerability Research AAAAAAAAAAAAAAAA\0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Check Point Software Technologies | * +972-3-753-4536 | M +972-545-888887 | * shahartal () checkpoint 
com<mailto:shahartal () checkpoint com>


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

The Misfortune Cookie Vulnerability Shahar Tal (Dec 18)
- Re: The Misfortune Cookie Vulnerability Michal Zalewski (Dec 18)
  - Re: The Misfortune Cookie Vulnerability Sandro Gauci (Dec 22)
    - Re: The Misfortune Cookie Vulnerability Shahar Tal (Dec 22)
  - Re: The Misfortune Cookie Vulnerability Shahar Tal (Dec 22)
    - Re: The Misfortune Cookie Vulnerability Jon Hart (Dec 23)
- Re: The Misfortune Cookie Vulnerability Gynvael Coldwind (Dec 22)