Microsoft IIS 4.0/5.0 Session ID Cookie Disclosure Vulnerability
BID:1832
Info
Microsoft IIS 4.0/5.0 Session ID Cookie Disclosure Vulnerability
| Bugtraq ID: | 1832 |
| Class: | Design Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Oct 23 2000 12:00AM |
| Updated: | Oct 23 2000 12:00AM |
| Credit: | Discovered by ACROS Security <[email protected]> and C. Conrad Cady and publicized in a Microsoft Security Bulletin (MS00-080) on October 23, 2000. |
| Vulnerable: |
Microsoft IIS 5.0 Microsoft IIS 4.0 |
| Not Vulnerable: | |
Discussion
Microsoft IIS 4.0/5.0 Session ID Cookie Disclosure Vulnerability
Under certain circumstances, Microsoft IIS will transmit the plaintext contents of Session ID Cookies that should be marked as secure.
A website may require state information so that it can distinguish one user over another, especially if it undergoes a great deal of traffic load. This is especially prevalent in the case of e-commerce sites in order to keep track of an individuals shopping order, etc. as they browse from page to page. Session ID Cookies may be used as a method to acquire state information. It maintains the identity of a user as they browse a site.
When a user initiates a SSL secured web session, Session ID Cookies should be marked as secure from there on (see RFC 2109 for reference: http://www.ietf.org/rfc/rfc2109.txt). This is not the case if the user visits an ASP page hosted on IIS. In the event that a user views an ASP document during a secure web session, the Session ID Cookie would then be marked as insecure. Once the user were to visit a non-secure portion of the website, a malicious third party who had access to the network traffic between the user and the website would be able to read the contents of the cookie since it would be sent in plaintext. The attacker would then be able to use the credentials from the Session ID Cookie to successfully hijack the session and take any further actions under the identity of the original user.
Under certain circumstances, Microsoft IIS will transmit the plaintext contents of Session ID Cookies that should be marked as secure.
A website may require state information so that it can distinguish one user over another, especially if it undergoes a great deal of traffic load. This is especially prevalent in the case of e-commerce sites in order to keep track of an individuals shopping order, etc. as they browse from page to page. Session ID Cookies may be used as a method to acquire state information. It maintains the identity of a user as they browse a site.
When a user initiates a SSL secured web session, Session ID Cookies should be marked as secure from there on (see RFC 2109 for reference: http://www.ietf.org/rfc/rfc2109.txt). This is not the case if the user visits an ASP page hosted on IIS. In the event that a user views an ASP document during a secure web session, the Session ID Cookie would then be marked as insecure. Once the user were to visit a non-secure portion of the website, a malicious third party who had access to the network traffic between the user and the website would be able to read the contents of the cookie since it would be sent in plaintext. The attacker would then be able to use the credentials from the Session ID Cookie to successfully hijack the session and take any further actions under the identity of the original user.
Exploit / POC
Microsoft IIS 4.0/5.0 Session ID Cookie Disclosure Vulnerability
Mitja Kolsek <[email protected]> goes through scenarios in his advisory (see 'Credit' tab) describing how a user could be misled to open a connection to a malicious website and provide a Session ID Cookie.
Mitja Kolsek <[email protected]> goes through scenarios in his advisory (see 'Credit' tab) describing how a user could be misled to open a connection to a malicious website and provide a Session ID Cookie.
References
Microsoft IIS 4.0/5.0 Session ID Cookie Disclosure Vulnerability
References:
References: