Re: Cookies

[Ryan Permeh <ryan () EEYE COM>]

actually, this is not that difficult to do:  i'd reccomend taking the
following steps:
1. build a cookie gathering/sending tool.  working in the constraints of a
current browser might be diffucult.  i'd reccomend perl and LWP, or perhaps
just nc and a little script fu.
2. realize that many times, perl scripts handle incoming cookie data.  also
often times, cookies are hashes used to uniquely identify someone, it may be
possible to pretty easily buiild a session hijack scenario.
3. the flip side of #2 is that perl buffers are pretty resistant to buffer
overflows.  they, however, are not resistant to things like poison null
bytes(see RFP's excellent phrack article on perl cgi vulns) and other data
dependent bugs.  if they are using the hash to perform a  select from a
database, perhaps you can embbed SQL into your hash and have it execute, or
if it's being used to open a file or something, try to open a different
file, etc.  pretty much anytime a web  process uses logic based on the input
of a user defined variable(like a cookie), bad things can happen.

there are other platforms that could be more susceptable to attacks of this
sort(cookie handlers written in c with buffers + unbounded buffer
operations, etc).  Perhaps someone more familiar that i with ASP(or PHP, or
insert your favorite web technology here) could comment on this possibility?

Ryan
eEye Digital Security

----- Original Message -----
From: "George" <georger () NLS NET>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Sunday, August 06, 2000 9:20 AM
Subject: Cookies


> A few friends of mine were discussing the possibility of a custom crafted
> cookie replacing a valid cookie on a client machine being used to exploit
> the web server that placed the first cookie on the client.
>
> Has anyone looked at the possibility of editing a cookie to search
> for/exploit buffer overflows in the server side code that reads cookies?
If
> there is any information on this sort of technique I would appreciate a
> pointer.
>
> Geo.