Support forums : You can sense the bug

Replay attack

Not like "it smells funny when I click that". This is for bugs that don't show an error but something just doesn't seem right or ends up doing something you think is wrong. It doesn't show you an error but you know something ain't right.

Moderator: Dracones

Replay attack

Postby Afwas » Tue Feb 01, 2011 3:36 am

Based on the attack issues of EdB's blog ¥åßßå asked me to look into nonces.
This is partly correct described in http://en.wikipedia.org/wiki/Cryptographic_nonce and a little better in http://en.wikipedia.org/wiki/Replay_attack . For those of you (and me included) ...

The idea is an attack like this. ¥åßßå sends me a file to put on my server. In this file is an iframe with a prefilled post form that will create super admin on my blog and ¥åßßå has unlimited access through that user. What's happening is that ¥åßßå is hyjacking my session.
Upon investigation I found the following.
- It is possible to hyjacck a session. I pasted the html from the 'create a user' form into test.php and it opened when I placed that file into my blog folder. And it did hyjack my session because my cookie was used (according to the output I was logged in as foppe). Also the bad part: trying to create a user (hitting the submit button) got me to admin.php.

The good part: test.php (that's the potentially corrupted file) must be inside the blog folder. So unless the attacker has FTP access (or the user is really stupid) there's no vulnerability here, And if you can FTP inside the blog folder why not pick up the database credentials etc.

The session cookie is smart. From the comment on top of /qp_inc/session/model/_session.class.php
Code: Select all
* Sessions are tracked with a cookie containing the session ID.
* The cookie also contains a random key to prevent sessions hacking.

The session cookie has a 10 year lifetime. That's relevant if ¥åßßå would steal my laptop or I would login but not logout in an internet café.

The file /qp_inc/users/users.ctrl.php uses $current_User->check_perm() for validation. This is just before the user is created ($edited_user->dbinsert()). This has proven a solid mechanism.

Drawing conclusions:
Not mentioned before is that a nonce is not enough for utmost security. It also requires Message Authentication Code (MAC) http://en.wikipedia.org/wiki/Message_au ... ation_code and that be rather hard to implement in OSS because he algorithm would be open. I may be mistaken here.
I was thinking along the line of sending the session ID along with the form but I don't think it really has any added value. The session is already in play in the total amount of measures so this would be somewhat more secure (because harder to mimic the form) but never proven more safe. I mean it's like opening a new door with the key from a previous lock.

Since I'm not able to replicate the issue without access to the server I think there's no real need to act. If need arises re-read this post and implement nonce properly.
Afwas
Dracone
User avatar
 
Posts: 72
Joined: Sun Nov 22, 2009 5:28 pm
Location: Groningen, The Netherlands

Re: Replay attack

Postby Yabs » Tue Feb 01, 2011 7:59 am

Hi Afwas,
I'm afraid it's a lot worse than that, here's how it goes.

Malicious person trawls these forums and finds the urls to all the players blogs.
They then create a page on any server in the world and on that page they put loads of frames with the form that you used in your test.php with each form pointing at one of the players admin url.
They then meander back to these forums, register and post a "help my QP install is borked post"
If they're really mean they wait to be asked for a link ;)
The players then go visit their page and all of the forms ( in the frames ) are auto submitted
One of those forms will work, the rest will fail, for each of the players that visits
Malicious person now has admin access to the blogs of the players that visited.

By using a nonce you kill this ability. Basically you have a one time use code that is based on user + expected action + key + time limit. Any request that doesn't contain a valid nonce is rejected, which closes the hole.

¥
I may have opened the door but you entered of your own free will

Image Techno Babble II
Image Tacky Pad 3
Yabs
Dracone
User avatar
 
Posts: 896
Joined: Sat Nov 21, 2009 9:59 am

Re: Replay attack

Postby Tblue » Tue Feb 01, 2011 2:27 pm

Yabs got it right.

Regarding the session cookies: While the cookies themselves have a ridiculously long lifetime, the session entry in the database expires after a configurable amount of inactivity (7 days by default), making logins impossible.
Tblue
Dracone
 
Posts: 340
Joined: Sat Nov 21, 2009 1:35 pm
Location: Berlin, Germany

Re: Replay attack

Postby Kimberly » Tue Feb 01, 2011 8:21 pm

I can also see a scenario where users in a community blog can be targeted to upload a file to the server. "Here is a really nifty xxxx, you need to upload this to your blog. You will be surprised, well, no you will not; anyway, people are still opening "cute" powerpoint presentations even after MicroCrap issued their recent security warning.
Kimberly
Dracone
User avatar
 
Posts: 842
Joined: Mon Jul 19, 2010 4:44 pm

Re: Replay attack

Postby Yabs » Tue Feb 01, 2011 8:23 pm

Agreed, but we can close holes opened by the code ( inherited from evo ) .. tad harder to cure user ignorance.

¥
I may have opened the door but you entered of your own free will

Image Techno Babble II
Image Tacky Pad 3
Yabs
Dracone
User avatar
 
Posts: 896
Joined: Sat Nov 21, 2009 9:59 am

Re: Replay attack

Postby EdB » Tue Feb 01, 2011 9:30 pm

I'm a sledgehammer kinda guy. I also see value in closing the barn door after the horses got out. So I'm sledgehammering a barn door :)

directory_checker_plugin will eventually show you anything and everything that isn't what it was on the server. Excluding host-induced directories like _vti_whatever and cgi_bin, it will do every file in every folder. Stores the name including path, byte size, and utc timestamp. Change any of those and you get flagged. Add or remove files or folders and you get flagged. Yeah: you'll get flagged each time you upload a new image you clipped off someone else's web because you totally love those stupid cat pictures with captions, but you'll also eventually get flagged when something gets there outside of your knowledge. You'll also get flagged every time one of your bloggers uploads stuff. Life's a bitch eh?

Trying to decide if I should include a snapshot of QPv0.0.0 (~808Kbytes) or use "right now" as the snapshot even though "right now" could already be compromised. BRIEFLY flirted with the idea of leaving out the datestamp from each folder and file to reduce the 808K, but it won't pull much out. Also haven't actually successfully inserted the info upon plugin installation due to I hate trying to copy/paste stuff that line-wraps in an editor set to not line-wrap only to find that it actually line-broke.

Oh and still haven't actually successfully compared a snapshot in the past to a snapshot right now, but hey that ought to be the easy part. Right?

And now I know I'll rename this thing "barndoor_plugin" :)
EdB
Dracone
User avatar
 
Posts: 2072
Joined: Sun Nov 22, 2009 7:20 am
Location: Maricopa Arizona

Re: Replay attack

Postby EdB » Tue Feb 01, 2011 9:33 pm

Kimberly wrote:I can also see a scenario where users in a community blog can be targeted to upload a file to the server. "Here is a really nifty xxxx, you need to upload this to your blog. You will be surprised, well, no you will not; anyway, people are still opening "cute" powerpoint presentations even after MicroCrap issued their recent security warning.

I'm pretty sure the admin can block certain types of file extensions from uploading. Like, ban .ppt for example. That doesn't stop a malicious prick from renaming something_evil.exe to something_nice.jpg, but it helps stop the auto-forward-how-did-i-get-another-virus crowd from doing stupid things.
EdB
Dracone
User avatar
 
Posts: 2072
Joined: Sun Nov 22, 2009 7:20 am
Location: Maricopa Arizona


Return to You can sense the bug

Who is online

Users browsing this forum: No registered users and 1 guest

cron