User: Password:
Subscribe / Log in / New account


Gathering session cookies with Firesheep

By Jake Edge
November 3, 2010

The recent release of Firesheep—a Firefox extension that captures others' cookies on open WiFi networks—has set off something of a firestorm. The particular hole that Firesheep exploits is not anything new, we looked at an EFF-sponsored workaround for the problem back in July, but the particulars of the Firesheep implementation are fairly eye-opening. It would seem that Firesheep developer Eric Butler was wildly successful in doing what he set out to do: increase the visibility of insecure session cookie handling by major web sites.

It is fairly standard for web sites to protect their login screens by using HTTPS (i.e. SSL/TLS encrypted connections) so that usernames and passwords cannot be intercepted. But once the login has been completed, a session is created, and sites typically hand out a cookie—a (hopefully) opaque value that the server can use to associate a request with a particular session (i.e. user). Each time the user's browser sends a request to the site, it also sends any cookies that have been set by that site. Those cookies are valid for a server-selectable period of time, and while they are valid, they can be used by anyone to appear to the server as the user who logged in. The problem is that the cookies are often transmitted via unencrypted HTTP.

So Firesheep, which was released at ToorcCon 12 on October 24, can intercept these cookie values for various high-profile web sites (e.g. Facebook, Twitter, Amazon, Google, Github, and so on). It does the cookie interception by sniffing the network traffic on open WiFi networks, and once it has them, it offers the user the ability to connect to those services using the captured cookies. So someone sitting in a coffeeshop can run Firesheep and potentially access Facebook as some other unsuspecting customer.

The ability to do a one-click takeover of someone's account is clearly Firesheep's most controversial feature. But it certainly serves the purpose of alerting the public to this particular problem. Packaging the program as a Firefox extension is also a clever touch. There is no reason that Firesheep couldn't be a standalone program, but making it available in the browser eases the installation process so that it can get in the hands of more (ab)users.

Butler's intent is to shame (or scare) web site operators into switching to HTTPS. It is the same end goal that the EFF had with its HTTPS Everywhere Firefox extension, but Firesheep definitely grabbed a lot more attention than the EFF's tool did. HTTPS Everywhere uses rules to rewrite http:// URLs to https:// URLs, which is useful—but not particularly striking, at least to casual users and the press.

People have expressed ethical concerns about the release of Firesheep, but like many security-oriented tools, it can be used for good or ill. There are also reports that Microsoft's anti-virus software is marking Firesheep as a threat. This firestorm has caused Butler to strongly defend Firesheep and its release:

In addition to questioning Firesheep's legality, some people have questioned the ethics of its release. Similar tools have existed for years, so big companies, especially Facebook and Twitter, cannot claim they are unaware of these issues. They have knowingly placed user privacy on the back burner, and I'd be interested to hear some discussion about the ethics of these decisions, which have left users at risk since long before Firesheep.

Web sites can fix the problem by converting over to HTTPS and marking their session cookies as HTTPS-only, but it's not quite as simple as just flipping a switch. HTTPS will definitely require more server resources to encrypt and decrypt all of its traffic, but there are other potential problem areas as well. Various internal links in existing content may need to be converted or handled by the web server rewrite engine, and there is a class of content that web site operators may not have any control over: advertisements.

Ad networks run by Google and others often do not offer HTTPS for serving ads. That results in a warning from many web browsers because there is insecure (i.e. HTTP) content in an HTTPS page. The last thing many web site operators want is for their new users to be greeted with a scary warning about the site.

We have been running some experiments here at LWN and plan to have HTTPS-only cookies soon, though we haven't quite figured out how to handle the Google ad problem. It is really something we (and lots of other sites) should have done a long time ago. Thanks to Firesheep, there are now even more compelling reasons to make that switch happen.

Comments (72 posted)

New vulnerabilities

clamav: code execution

Package(s):clamav CVE #(s):CVE-2010-3434
Created:October 29, 2010 Updated:November 3, 2010
Description: From the CVE entry:

Buffer overflow in the find_stream_bounds function in pdf.c in libclamav in ClamAV before 0.96.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF document. NOTE: some of these details are obtained from third party information.

Gentoo 201110-20 clamav 2011-10-23
SUSE SUSE-SR:2010:020 NetworkManager, bind, clamav, dovecot12, festival, gpg2, libfreebl3, php5-pear-mail, postgresql 2010-11-03
openSUSE openSUSE-SU-2010:0921-1 clamav 2010-10-29

Comments (none posted)

cups: code execution

Package(s):cups CVE #(s):CVE-2010-2941
Created:October 29, 2010 Updated:March 2, 2011
Description: From the Red Hat advisory:

A use-after-free flaw was found in the way the CUPS server parsed Internet Printing Protocol (IPP) packets. A malicious user able to send IPP requests to the CUPS server could use this flaw to crash the CUPS server or, potentially, execute arbitrary code with the privileges of the CUPS server.

Gentoo 201207-10 cups 2012-07-09
Debian DSA-2176-1 cups 2011-03-02
SUSE SUSE-SR:2010:023 libxml2, tomboy, krb5, php5, cups, java-1_6_0-openjdk, epiphany, encfs 2010-12-08
openSUSE openSUSE-SU-2010:1018-1 cups 2010-12-06
Slackware SSA:2010-333-01 cups 2010-11-30
Fedora FEDORA-2010-17627 cups 2010-11-11
Fedora FEDORA-2010-17615 cups 2010-11-11
Fedora FEDORA-2010-17641 cups 2010-11-11
Mandriva MDVSA-2010:234 cups 2010-11-15
Mandriva MDVSA-2010:233 cups 2010-11-15
Mandriva MDVSA-2010:232 cups 2010-11-15
Red Hat RHSA-2010:0866-02 cups 2010-11-10
Ubuntu USN-1012-1 cups, cupsys 2010-11-04
CentOS CESA-2010:0811 cups 2010-11-01
Red Hat RHSA-2010:0811-01 cups 2010-10-28

Comments (none posted)

cvs: code execution

Package(s):cvs CVE #(s):CVE-2010-3846
Created:October 29, 2010 Updated:November 30, 2010
Description: From the Red Hat bugzilla:

An array index error, leading to heap-based buffer overflow was found in the way CVS version control system applied certain delta fragments changes from input file in the RCS (Revision Control System file) format. A local attacker could store a specially-crafted RCS file into the CVS repository and trick the remote victim to checkout (update their CVS repository tree) with this file, which could lead to arbitrary code execution with the privileges of the user running cvs client executable.

Red Hat RHSA-2010:0918-01 cvs 2010-11-29
Fedora FEDORA-2010-16721 cvs 2010-10-28
Fedora FEDORA-2010-16599 cvs 2010-10-22
Fedora FEDORA-2010-16600 cvs 2010-10-22

Comments (none posted)

dovecot: restriction bypass

Package(s):dovecot CVE #(s):CVE-2010-3706 CVE-2010-3707
Created:October 29, 2010 Updated:May 19, 2011
Description: From the CVE entries:

plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving the private namespace of a user, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox. (CVE-2010-3706)

plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving more specific entries that occur after less specific entries, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox. (CVE-2010-3707)

Gentoo 201110-04 dovecot 2011-10-10
Red Hat RHSA-2011:0600-01 dovecot 2011-05-19
Ubuntu USN-1059-1 dovecot 2011-02-07
SUSE SUSE-SR:2010:020 NetworkManager, bind, clamav, dovecot12, festival, gpg2, libfreebl3, php5-pear-mail, postgresql 2010-11-03
Mandriva MDVSA-2010:217 dovecot 2010-10-30
openSUSE openSUSE-SU-2010:0923-1 dovecot 2010-10-29

Comments (none posted)

dovecot: multiple vulnerabilities

Package(s):dovecot CVE #(s):CVE-2010-3779 CVE-2010-3780
Created:November 1, 2010 Updated:May 19, 2011
Description: From the Mandriva advisory:

Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the admin permission to the owner of each mailbox in a non-public namespace, which might allow remote authenticated users to bypass intended access restrictions by changing the ACL of a mailbox, as demonstrated by a symlinked shared mailbox (CVE-2010-3779).

Dovecot 1.2.x before 1.2.15 allows remote authenticated users to cause a denial of service (master process outage) by simultaneously disconnecting many (1) IMAP or (2) POP3 sessions (CVE-2010-3780).

Gentoo 201110-04 dovecot 2011-10-10
Ubuntu USN-1059-1 dovecot 2011-02-07
Red Hat RHSA-2011:0600-01 dovecot 2011-05-19
Mandriva MDVSA-2010:217 dovecot 2010-10-30

Comments (none posted)

gnucash: arbitrary code execution

Package(s):gnucash CVE #(s):CVE-2010-3999
Created:November 1, 2010 Updated:November 25, 2010
Description: From the Red Hat bugzilla:

Ludwig Nussel discovered that gnucash contained a script that could be abused by an attacker to execute arbitrary code.

The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by to look for libraries in directories other than the standard paths. When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, treats it as a '.' (current working directory). If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation.

Gentoo 201412-09 racer-bin, fmod, PEAR-Mail, lvm2, gnucash, xine-lib, lastfmplayer, webkit-gtk, shadow, PEAR-PEAR, unixODBC, resource-agents, mrouted, rsync, xmlsec, xrdb, vino, oprofile, syslog-ng, sflowtool, gdm, libsoup, ca-certificates, gitolite, qt-creator 2014-12-11
Mandriva MDVSA-2010:241 gnucash 2010-11-24
Fedora FEDORA-2010-16762 gnucash 2010-10-28
Fedora FEDORA-2010-16622 gnucash 2010-10-22
Fedora FEDORA-2010-16605 gnucash 2010-10-22

Comments (none posted)

libguestfs: possible host corruption

Package(s):libguestfs CVE #(s):CVE-2010-3851
Created:November 3, 2010 Updated:July 7, 2011
Description: From the Red Hat bugzilla:

libguestfs doesn't currently allow the format of a disk to be specified explicitly, and therefore always uses automatic format detection. It takes disk images as arguments, and can therefore only be run by the virtualisation administrator. However, if a malicious guest administrator knows that libguestfs will run against their image, they could still use this technique to corrupt the host.

Scientific Linux SL-libg-20110519 libguestfs 2011-05-19
Red Hat RHSA-2011:0586-01 libguestfs 2011-05-19
Fedora FEDORA-2010-17202 libguestfs 2010-11-03
Fedora FEDORA-2010-16835 libguestfs 2010-10-28

Comments (1 posted)

luci: authentication bypass

Package(s):luci CVE #(s):CVE-2010-3852
Created:November 3, 2010 Updated:November 5, 2010
Description: From the Red Hat bugzilla:

A security flaw was found in the way Luci administration application processed ticket cookies. A remote attacker, with certain knowledge of running Luci instance environment details could use this flaw to bypass standard Luci authentication mechanism (access resources which should be otherwise protected by authentication).

Fedora FEDORA-2010-16848 luci 2010-10-28
Fedora FEDORA-2010-16601 luci 2010-10-22
Fedora FEDORA-2010-16617 luci 2010-10-22

Comments (none posted)

Mozilla products: remote code execution

Package(s):firefox seamonkey thunderbird xulrunner CVE #(s):CVE-2010-3765
Created:October 28, 2010 Updated:November 17, 2010
Description: A race condition in Mozilla's document object model handling can be exploited (and is being exploited) to execute arbitrary code. The Firefox 3.6.12/3.5.15, Thunderbird 3.1.6/3.0.10, and Seamonkey 2.0.10 releases fix the problem.
openSUSE openSUSE-SU-2014:1100-1 Firefox 2014-09-09
Gentoo 201301-01 firefox 2013-01-07
Red Hat RHSA-2010:0896-01 thunderbird 2010-11-17
Slackware SSA:2010-317-01 thunderbird 2010-11-15
Red Hat RHSA-2010:0861-02 firefox 2010-11-10
SUSE SUSE-SA:2010:056 MozillaFirefox,seamonkey,MozillaThunderbird 2010-11-08
Fedora FEDORA-2010-17105 seamonkey 2010-11-02
openSUSE openSUSE-SU-2010:0925-1 seamonkey 2010-11-02
openSUSE openSUSE-SU-2010:0924-1 mozilla-xulrunner191 2010-11-02
CentOS CESA-2010:0812 thunderbird 2010-11-01
CentOS CESA-2010:0812 thunderbird 2010-11-01
Fedora FEDORA-2010-16941 thunderbird 2010-10-29
Fedora FEDORA-2010-16939 thunderbird 2010-10-29
Fedora FEDORA-2010-16926 thunderbird 2010-10-29
Fedora FEDORA-2010-16941 sunbird 2010-10-29
Fedora FEDORA-2010-16939 sunbird 2010-10-29
Fedora FEDORA-2010-16926 sunbird 2010-10-29
Debian DSA-2124-1 xulrunner 2010-11-01
Slackware SSA:2010-305-01 seamonkey 2010-11-01
Mandriva MDVSA-2010:219 mozilla-thunderbird 2010-11-01
Fedora FEDORA-2010-16885 mozvoikko 2010-10-28
Fedora FEDORA-2010-16885 gnome-web-photo 2010-10-28
Fedora FEDORA-2010-16885 perl-Gtk2-MozEmbed 2010-10-28
Fedora FEDORA-2010-16885 xulrunner 2010-10-28
Fedora FEDORA-2010-16885 gnome-python2-extras 2010-10-28
Fedora FEDORA-2010-16885 galeon 2010-10-28
Fedora FEDORA-2010-16885 firefox 2010-10-28
CentOS CESA-2010:0809 xulrunner 2010-10-29
CentOS CESA-2010:0808 firefox 2010-10-29
CentOS CESA-2010:0810 seamonkey 2010-10-29
CentOS CESA-2010:0810 seamonkey 2010-10-29
Fedora FEDORA-2010-16883 gnome-python2-extras 2010-10-28
Fedora FEDORA-2010-16883 perl-Gtk2-MozEmbed 2010-10-28
Fedora FEDORA-2010-16883 galeon 2010-10-28
Fedora FEDORA-2010-16883 mozvoikko 2010-10-28
Fedora FEDORA-2010-16883 gnome-web-photo 2010-10-28
Fedora FEDORA-2010-16883 xulrunner 2010-10-28
Fedora FEDORA-2010-16883 firefox 2010-10-28
Red Hat RHSA-2010:0812-01 thunderbird 2010-10-28
Slackware SSA:2010-301-02 firefox 2010-10-29
Ubuntu USN-1011-3 xulrunner-1.9.1, xulrunner-1.9.2 2010-10-29
Ubuntu USN-1011-2 thunderbird 2010-10-28
Mandriva MDVSA-2010:213 xulrunner 2010-10-28
Ubuntu USN-1011-1 firefox 2010-10-28
Red Hat RHSA-2010:0810-01 seamonkey 2010-10-27
Red Hat RHSA-2010:0809-01 xulrunner 2010-10-27
Red Hat RHSA-2010:0808-01 firefox 2010-10-27

Comments (none posted)

pam: privilege escalation

Package(s):pam CVE #(s):CVE-2010-3316 CVE-2010-3435 CVE-2010-3853
Created:November 2, 2010 Updated:November 3, 2011
Description: From the Red Hat advisory:

It was discovered that the pam_namespace module executed the external script namespace.init with an unchanged environment inherited from an application calling PAM. In cases where such an environment was untrusted (for example, when pam_namespace was configured for setuid applications such as su or sudo), a local, unprivileged user could possibly use this flaw to escalate their privileges. (CVE-2010-3853)

It was discovered that the pam_mail module used root privileges while accessing users' files. In certain configurations, a local, unprivileged user could use this flaw to obtain limited information about files or directories that they do not have access to. (CVE-2010-3435)

It was discovered that the pam_xauth module did not verify the return values of the setuid() and setgid() system calls. A local, unprivileged user could use this flaw to execute the xauth command with root privileges and make it read an arbitrary input file. (CVE-2010-3316)

Gentoo 201206-31 pam 2012-06-25
SUSE SUSE-SU-2011:1218-1 pam 2011-11-04
SUSE SUSE-SU-2011:1207-1 pam 2011-11-03
SUSE SUSE-SU-2011:1205-1 pam 2011-11-03
SUSE SUSE-SU-2011:1209-1 pam 2011-11-03
openSUSE openSUSE-SU-2011:1208-1 pam 2011-11-03
Ubuntu USN-1140-2 pam 2011-05-31
Ubuntu USN-1140-1 pam 2011-05-30
Pardus 2011-41 pam 2011-02-14
Fedora FEDORA-2010-17133 pam 2010-11-02
Red Hat RHSA-2010:0891-01 pam 2010-11-16
Fedora FEDORA-2010-17155 pam 2010-11-02
Fedora FEDORA-2010-17112 pam 2010-11-02
Mandriva MDVSA-2010:220 pam 2010-11-04
CentOS CESA-2010:0819 pam 2010-11-01
Red Hat RHSA-2010:0819-01 pam 2010-11-01

Comments (none posted)

php: multiple vulnerabilities

Package(s):php CVE #(s):CVE-2010-3710 CVE-2010-3709 CVE-2010-3436
Created:November 1, 2010 Updated:April 15, 2011
Description: From the Mandriva advisory:

Stack consumption vulnerability in the filter_var function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3, when FILTER_VALIDATE_EMAIL mode is used, allows remote attackers to cause a denial of service (memory consumption and application crash) via a long e-mail address string (CVE-2010-3710).

A NULL pointer dereference was discovered in ZipArchive::getArchiveComment (CVE-2010-3709).

A possible flaw was discovered in open_basedir (CVE-2010-3436).

Oracle ELSA-2013-1615 php 2013-11-26
Gentoo 201110-06 php 2011-10-10
CentOS CESA-2011:0196 php53 2011-04-14
openSUSE openSUSE-SU-2011:0276-1 php5 2011-04-01
Debian DSA-2195-1 php5 2011-03-19
Red Hat RHSA-2011:0196-01 php53 2011-02-03
Red Hat RHSA-2011:0195-01 php 2011-02-03
Ubuntu USN-1042-2 USN-1042-1 fixed 2011-01-13
Ubuntu USN-1042-1 php5 2011-01-11
Fedora FEDORA-2010-19011 maniadrive 2010-12-17
Fedora FEDORA-2010-18976 maniadrive 2010-12-17
Fedora FEDORA-2010-19011 php-eaccelerator 2010-12-17
Fedora FEDORA-2010-18976 php-eaccelerator 2010-12-17
Fedora FEDORA-2010-19011 php 2010-12-17
Fedora FEDORA-2010-18976 php 2010-12-17
Slackware SSA:2010-357-01 php 2010-12-24
SUSE SUSE-SR:2010:023 libxml2, tomboy, krb5, php5, cups, java-1_6_0-openjdk, epiphany, encfs 2010-12-08
openSUSE openSUSE-SU-2010:1012-1 php5 2010-12-02
Mandriva MDVSA-2010:218 php 2010-10-31

Comments (none posted)

proftpd: arbitrary code execution

Package(s):proftpd CVE #(s):CVE-2010-3867
Created:November 2, 2010 Updated:March 15, 2011
Description: From the Slackware advisory:

Fixed Telnet IAC stack overflow vulnerability (ZDI-CAN-925), which can allow remote execution of arbitrary code as the user running the ProFTPD daemon. Thanks to TippingPoint and the Zero Day Initiative (ZDI).

Gentoo 201309-15 proftpd 2013-09-24
Debian DSA-2191-1 proftpd-dfsg 2011-03-14
Fedora FEDORA-2010-17220 proftpd 2010-11-03
Mandriva MDVSA-2010:227 proftpd 2010-11-11
Fedora FEDORA-2010-17091 proftpd 2010-11-02
Fedora FEDORA-2010-17098 proftpd 2010-11-02
Slackware SSA:2010-305-03 proftpd 2010-11-02

Comments (1 posted)

python: multiple vulnerabilities

Package(s):python CVE #(s):CVE-2009-4134 CVE-2010-1449 CVE-2010-1450 CVE-2010-3492 CVE-2010-3493
Created:November 1, 2010 Updated:October 18, 2012
Description: From the Mandriva advisory:

Buffer underflow in the rgbimg module in Python 2.5 allows remote attackers to cause a denial of service (application crash) via a large ZSIZE value in a black-and-white (aka B/W) RGB image that triggers an invalid pointer dereference (CVE-2009-4134).

Integer overflow in rgbimgmodule.c in the rgbimg module in Python 2.5 allows remote attackers to have an unspecified impact via a large image that triggers a buffer overflow. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-3143.12 (CVE-2010-1449).

Multiple buffer overflows in the RLE decoder in the rgbimg module in Python 2.5 allow remote attackers to have an unspecified impact via an image file containing crafted data that triggers improper processing within the (1) longimagedata or (2) expandrow function (CVE-2010-1450).

The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections (CVE-2010-3492).

Multiple race conditions in in the smtpd module in Python 2.6, 2.7, 3.1, and 3.2 alpha allow remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, or the getpeername function having an ENOTCONN error, a related issue to CVE-2010-3492 (CVE-2010-3493).

Gentoo 201401-04 python 2014-01-07
Ubuntu USN-1613-1 python2.5 2012-10-17
Ubuntu USN-1613-2 python2.4 2012-10-17
Ubuntu USN-1596-1 python2.6 2012-10-04
Ubuntu USN-1314-1 python3.1, python3.2 2011-12-19
CentOS CESA-2011:0491 python 2011-05-05
CentOS CESA-2011:0492 python 2011-05-05
Red Hat RHSA-2011:0491-01 python 2011-05-05
Red Hat RHSA-2011:0554-01 python 2011-05-19
Red Hat RHSA-2011:0492-01 python 2011-05-05
Red Hat RHSA-2011:0260-01 python 2011-02-16
SUSE SUSE-SR:2011:002 ed, evince, hplip, libopensc2/opensc, libsmi, libwebkit, perl, python, sssd, sudo, wireshark 2011-01-25
Red Hat RHSA-2011:0027-01 python 2011-01-13
SUSE SUSE-SR:2010:024 clamav, subversion, python, krb5, otrs, moonlight, OpenOffice_org, kdenetwork4, zope, xpdf, gnutls, and opera 2010-12-23
openSUSE openSUSE-SU-2010:1051-1 python 2010-12-13
openSUSE openSUSE-SU-2010:1049-1 python 2010-12-13
Mandriva MDVSA-2010:216 python 2010-10-30
Mandriva MDVSA-2010:215 python 2010-10-30

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds