[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] The Misfortune Cookie Vulnerability

To: Sandro Gauci <sandro@xxxxxxxxxxxxxxxxxx>, Michal Zalewski <lcamtuf@xxxxxxxxxxx>
Subject: Re: [FD] The Misfortune Cookie Vulnerability
From: Shahar Tal <shahartal@xxxxxxxxxxxxxx>
Date: Fri, 19 Dec 2014 09:12:21 +0000

Hi Sandro,
As I commented before, we are bound by policy that is out of my personal reach 
at the moment.
I can tell you, however, that when any independent researcher looks into the 
HTTP cookie parsing function in the RomPager 4.07 binary, his bounds will not 
be checked.

Cheers,
Shahar

From: Sandro Gauci [mailto:sandro@xxxxxxxxxxxxxxxxxx]
Sent: יום ו 19 דצמבר 2014 09:57
To: Michal Zalewski
Cc: Shahar Tal; fulldisclosure@xxxxxxxxxxxx
Subject: Re: [FD] The Misfortune Cookie Vulnerability

The most technical it seems to get is the following:

<quote>
The Misfortune Cookie vulnerability is exploitable due to an error within the 
HTTP cookie management mechanism present in the affected software, allowing an 
attacker to determine the ‘fortune’ of a request by manipulating cookies. 
Attackers can send specially crafted HTTP cookies that exploit the 
vulnerability to corrupt memory and alter the application state. This, in 
effect, can trick the attacked web server to treat the current session with 
administrative privileges.
</quote>

From 
http://mis.fortunecook.ie/misfortune-cookie-tr069-protection-whitepaper.pdf.

Would be very useful for the rest of us if this information were less of an 
advert and more technical.

Shahar, are there plans to release proper technical details?

Sandro Gauci
Penetration tester and security researcher
Email: sandro@xxxxxxxxxxxxxxxxxx<mailto:sandro@xxxxxxxxxxxxxxxxxx>
Web: http://enablesecurity.com/
PGP: 8028 D017 2207 1786 6403  CD45 2B02 CBFE 9549 3C0C

On Fri, Dec 19, 2014 at 6:56 AM, Michal Zalewski 
<lcamtuf@xxxxxxxxxxx<mailto:lcamtuf@xxxxxxxxxxx>> wrote:
> See http://mis.fortunecook.ie for the rest.

I think you might have accidentally pasted the wrong link. This one
doesn't seem to contain additional information.

Cheers,
/mz

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


Email secured by Check Point.

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

References:
- [FD] The Misfortune Cookie Vulnerability
  - From: Shahar Tal
- Re: [FD] The Misfortune Cookie Vulnerability
  - From: Michal Zalewski
- Re: [FD] The Misfortune Cookie Vulnerability
  - From: Sandro Gauci

Prev by Date: Re: [FD] The Misfortune Cookie Vulnerability
Next by Date: [FD] Defense in depth -- the Microsoft way (part 24): applications built with SDKs may be vulnerable
Previous by thread: Re: [FD] The Misfortune Cookie Vulnerability
Next by thread: Re: [FD] The Misfortune Cookie Vulnerability
Index(es):
- Date
- Thread