[SNS Advisory No.79] A Possibility of Cookie Overwrite in Microsoft Internet Explorer

From: snsadv (snsadv_at_LAC.CO.JP)
Date: 11/15/04

  • Next message: Adam Piggott: "Re: Desktop.ini file ignored by Windows Encryption..."
    Date:         Mon, 15 Nov 2004 18:01:07 +0900
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    ----------------------------------------------------------------------
    SNS Advisory No.79
    A Possibility of Cookie Overwrite in Microsoft Internet Explorer

    Problem first discovered on: Mon, 01 Sept 2003
    Published on: Mon, 15 Nov 2004
    ----------------------------------------------------------------------

    Severity Level:
    ---------------
      Low

    Overview:
    ---------
      Microsoft Internet Explorer contains a vulnerability that could cause a
      Cookie to be overwritten under certain conditions.

    Problem Description:
    --------------------
      Microsoft Internet Explorer fails to check certain character strings
      when accepting cookies.

      If Internet Explorer accepts a cookie with a crafted Path attribute,
      it becomes possible to overwrite a cookie issued by another site under
      specific conditions.

      [Preconditions for the exploit]
        1. If the target domain name contains the attacker's domain name,
           or if the target IP address contains the attacker's IP address

        2. If the target site is running a Web service on a wildcard domain

      Exploitation therefore, could make it possible for attackers to hijack
      Web sessions and login as legitimate users.

    Tested Versions:
    ----------------
      Microsoft Internet Explorer 6.0 Service Pack 1

    Solution:
    ---------
      If you use Windows XP, apply Service Pack 2.
      Or as an alternative workaround, change the configuration as follows:

       1. When accepting a cookie, please set to prompt a dialog in [Internet Options].

          1) Go to [Privacy] -> [Advanced]

          2) In the "Cookies" section, check the "Override automatic cookie
             handling" checkbox.

          3) Under First-party Cookies, select [Prompt]

          4) Click [OK]

       2. Please choose [Block Cookie] to cancel cookies that do not start with "/".

    Discovered by:
    --------------
      Keigo Yamazaki

    Acknowledgements:
    -----------------
      Microsoft Co., Ltd

    Disclaimer:
    -----------
      The information contained in this advisory may be revised without prior
      notice and is provided as it is. Users shall take their own risk when
      taking any actions following reading this advisory. LAC Co., Ltd.
      shall take no responsibility for any problems, loss or damage caused
      by, or by the use of information provided here.

      This advisory can be found at the following URL:
      http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/79_e.html

    ------------------------------------------------------------------
    Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp>
    Computer Security Laboratory, LAC http://www.lac.co.jp/security/

    --
    Editor's Note: The 43rd Most Powerful Person in Networking says...
    Register today to take the TruSecure ICSA exam by 12/31/04  at
    <http://www.2test.com> ,  use promo code "CT1204" and you will pay just
    $221.25 US Dollars for domestic exam delivery and  $296.25 US Dollars
    for international delivery.
    Visit <https://ticsa.trusecure.com>  for complete details regarding the
    TICSA credential and to take the free sample exam.
    --
    

  • Next message: Adam Piggott: "Re: Desktop.ini file ignored by Windows Encryption..."

    Relevant Pages