Vulnerability Development mailing list archives
Re: Cookies
From: Ryan Permeh <ryan () EEYE COM>
Date: Sun, 6 Aug 2000 13:17:24 -0500
actually, this is not that difficult to do: i'd reccomend taking the following steps: 1. build a cookie gathering/sending tool. working in the constraints of a current browser might be diffucult. i'd reccomend perl and LWP, or perhaps just nc and a little script fu. 2. realize that many times, perl scripts handle incoming cookie data. also often times, cookies are hashes used to uniquely identify someone, it may be possible to pretty easily buiild a session hijack scenario. 3. the flip side of #2 is that perl buffers are pretty resistant to buffer overflows. they, however, are not resistant to things like poison null bytes(see RFP's excellent phrack article on perl cgi vulns) and other data dependent bugs. if they are using the hash to perform a select from a database, perhaps you can embbed SQL into your hash and have it execute, or if it's being used to open a file or something, try to open a different file, etc. pretty much anytime a web process uses logic based on the input of a user defined variable(like a cookie), bad things can happen. there are other platforms that could be more susceptable to attacks of this sort(cookie handlers written in c with buffers + unbounded buffer operations, etc). Perhaps someone more familiar that i with ASP(or PHP, or insert your favorite web technology here) could comment on this possibility? Ryan eEye Digital Security ----- Original Message ----- From: "George" <georger () NLS NET> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Sunday, August 06, 2000 9:20 AM Subject: Cookies
A few friends of mine were discussing the possibility of a custom crafted cookie replacing a valid cookie on a client machine being used to exploit the web server that placed the first cookie on the client. Has anyone looked at the possibility of editing a cookie to search for/exploit buffer overflows in the server side code that reads cookies?
If
there is any information on this sort of technique I would appreciate a pointer. Geo.
Current thread:
- Cookies George (Aug 06)
- Re: Cookies Denis Ducamp (Aug 07)
- Re: Cookies Kev (Aug 09)
- Re: Cookies Denis Ducamp (Aug 09)
- Re: Cookies Kev (Aug 10)
- Re: Cookies Denis Ducamp (Aug 10)
- Re: Cookies Slawek (Aug 10)
- Re: Cookies Modify (Aug 10)
- Re: Cookies Kev (Aug 09)
- Re: Cookies Denis Ducamp (Aug 07)
- Re: Cookies George (Aug 07)
- Re: Cookies Crist Clark (Aug 09)
- Re: Cookies J Edgar Hoover (Aug 12)
- <Possible follow-ups>
- Re: Cookies netsec [davidv] (Aug 08)
- Re: Cookies Ryan Permeh (Aug 09)