<<< Date Index >>>     <<< Thread Index >>>

[SNS Advisory No.79] A Possibility of Cookie Overwrite in Microsoft Internet Explorer




----------------------------------------------------------------------
SNS Advisory No.79
A Possibility of Cookie Overwrite in Microsoft Internet Explorer

Problem first discovered on: Mon, 01 Sept 2003
Published on: Mon, 15 Nov 2004
----------------------------------------------------------------------

Severity Level:
---------------
  Low


Overview:
---------
  Microsoft Internet Explorer contains a vulnerability that could cause a
  Cookie to be overwritten under certain conditions.


Problem Description:
--------------------
  Microsoft Internet Explorer fails to check certain character strings
  when accepting cookies.

  If Internet Explorer accepts a cookie with a crafted Path attribute,
  it becomes possible to overwrite a cookie issued by another site under
  specific conditions.

  [Preconditions for the exploit]
    1. If the target domain name contains the attacker's domain name,
       or if the target IP address contains the attacker's IP address

    2. If the target site is running a Web service on a wildcard domain

  Exploitation therefore, could make it possible for attackers to hijack
  Web sessions and login as legitimate users.


Tested Versions:
----------------
  Microsoft Internet Explorer 6.0 Service Pack 1


Solution:
---------
  If you use Windows XP, apply Service Pack 2.
  Or as an alternative workaround, change the configuration as follows:

   1. When accepting a cookie, please set to prompt a dialog in [Internet 
Options].

      1) Go to [Privacy] -> [Advanced]

      2) In the "Cookies" section, check the "Override automatic cookie
         handling" checkbox.

      3) Under First-party Cookies, select [Prompt]

      4) Click [OK]

   2. Please choose [Block Cookie] to cancel cookies that do not start with "/".


Discovered by:
--------------
  Keigo Yamazaki


Acknowledgements:
-----------------
  Microsoft Co., Ltd


Disclaimer:
-----------
  The information contained in this advisory may be revised without prior
  notice and is provided as it is. Users shall take their own risk when
  taking any actions following reading this advisory. LAC Co., Ltd.
  shall take no responsibility for any problems, loss or damage caused
  by, or by the use of information provided here.

  This advisory can be found at the following URL:
  http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/79_e.html

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv@xxxxxxxxx>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/

--
Editor's Note: The 43rd Most Powerful Person in Networking says...

Register today to take the TruSecure ICSA exam by 12/31/04  at
<http://www.2test.com> ,  use promo code "CT1204" and you will pay just
$221.25 US Dollars for domestic exam delivery and  $296.25 US Dollars
for international delivery.

Visit <https://ticsa.trusecure.com>  for complete details regarding the
TICSA credential and to take the free sample exam.