Bug#528938: CVE-2009-1629: generates session IDs with predictable random numbers
Le samedi 06 février 2010 à 08:52 +0100, Julien Valroff a écrit : > Le samedi 06 février 2010 à 01:25 -0600, Raphael Geissert a écrit : > > Hi Julien, > > > > On 6 February 2010 01:19, Julien Valroff wrote: > > > Hi Raphael, > > > > > > Le samedi 06 février 2010 à 01:04 -0600, Raphael Geissert a écrit : > > >> Hi, > > >> > > >> I plan to release a DSA fixing this issue with the attached patch. > > >> Please upload a new version to sid containing the fix. > > > > > > I'll work on this today. Thanks a lot for your work! > > > > > > Should I upload a version with the only change being this fix, or can I > > > also introduce other changes which I have planned? > > > > You can upload whatever other change you want (well, not "whatever", > > but you get it :). > > Ok, I will prepare a new package ASAP > > > > > > > What about security fixes for Lenny, should I prepare a package and > > > upload it somewhere? > > > > > > > There's no need, I've already prepared the packages and will release > > them later today. > > Great, I am happy to see this bug at least (about to be) close! It is now closed, I have uploaded a package containing your fix to unstable. Thanks again for your great help! Cheers, Julien -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#528938: CVE-2009-1629: generates session IDs with predictable random numbers
Le samedi 06 février 2010 à 01:25 -0600, Raphael Geissert a écrit : > Hi Julien, > > On 6 February 2010 01:19, Julien Valroff wrote: > > Hi Raphael, > > > > Le samedi 06 février 2010 à 01:04 -0600, Raphael Geissert a écrit : > >> Hi, > >> > >> I plan to release a DSA fixing this issue with the attached patch. > >> Please upload a new version to sid containing the fix. > > > > I'll work on this today. Thanks a lot for your work! > > > > Should I upload a version with the only change being this fix, or can I > > also introduce other changes which I have planned? > > You can upload whatever other change you want (well, not "whatever", > but you get it :). Ok, I will prepare a new package ASAP > > > > What about security fixes for Lenny, should I prepare a package and > > upload it somewhere? > > > > There's no need, I've already prepared the packages and will release > them later today. Great, I am happy to see this bug at least (about to be) close! Cheers, Julien -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#528938: CVE-2009-1629: generates session IDs with predictable random numbers
Hi Julien, On 6 February 2010 01:19, Julien Valroff wrote: > Hi Raphael, > > Le samedi 06 février 2010 à 01:04 -0600, Raphael Geissert a écrit : >> Hi, >> >> I plan to release a DSA fixing this issue with the attached patch. >> Please upload a new version to sid containing the fix. > > I'll work on this today. Thanks a lot for your work! > > Should I upload a version with the only change being this fix, or can I > also introduce other changes which I have planned? You can upload whatever other change you want (well, not "whatever", but you get it :). > > What about security fixes for Lenny, should I prepare a package and > upload it somewhere? > There's no need, I've already prepared the packages and will release them later today. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#528938: CVE-2009-1629: generates session IDs with predictable random numbers
Hi Raphael, Le samedi 06 février 2010 à 01:04 -0600, Raphael Geissert a écrit : > Hi, > > I plan to release a DSA fixing this issue with the attached patch. > Please upload a new version to sid containing the fix. I'll work on this today. Thanks a lot for your work! Should I upload a version with the only change being this fix, or can I also introduce other changes which I have planned? What about security fixes for Lenny, should I prepare a package and upload it somewhere? Cheers, Julien -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#528938: CVE-2009-1629: generates session IDs with predictable random numbers
Hi, I plan to release a DSA fixing this issue with the attached patch. Please upload a new version to sid containing the fix. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net Fix CVE-2009-1629: weak session id generation Use a cookie with a strong random name and a strong random value for each user to protect from session id hijacking attacks. The browser-generated session id is now stronger but only used to separate multiple sessions of the same ip. Additionally, a limiting mechanism sets a maximum of 20 simultaneous sessions in total and 4 maximum sessions per connecting ip. The X-Forwarded-For header is only honoured if the real remote ip is 127.0.0.1. diff -urpN ajaxterm-0.10-4.orig/ajaxterm.js ajaxterm-0.10-4/ajaxterm.js --- ajaxterm-0.10-4.orig/ajaxterm.js 2006-10-28 21:52:39.0 -0500 +++ ajaxterm-0.10-4/ajaxterm.js 2010-02-04 19:45:11.0 -0600 @@ -3,7 +3,24 @@ ajaxterm.Terminal_ctor=function(id,width var ie=0; if(window.ActiveXObject) ie=1; - var sid=""+Math.round(Math.random()*10); + + var sid=""; + + for (var i=0; i < 128; i++) { + var r = 0; + // now get a random number between 0 and 255 + // numbers not in the range are intentionally discarded + // as it reduces the chance of predicting the seed, by not + // using all of the numbers generated by the PRNG + do { + r = Math.round(Math.random()*1000); + } while(r >= 255); + r = r.toString(16); + if (r.length == 1) + r = "0"+r; + sid += "%" + r; + } + var query0="s="+sid+"&w="+width+"&h="+height; var query1=query0+"&c=1&k="; var buf=""; diff -urpN ajaxterm-0.10-4.orig/ajaxterm.py ajaxterm-0.10-4/ajaxterm.py --- ajaxterm-0.10-4.orig/ajaxterm.py 2006-10-28 21:52:39.0 -0500 +++ ajaxterm-0.10-4/ajaxterm.py 2010-02-04 20:01:50.0 -0600 @@ -2,7 +2,14 @@ """ Ajaxterm """ -import array,cgi,fcntl,glob,mimetypes,optparse,os,pty,random,re,signal,select,sys,threading,time,termios,struct,pwd +import array,cgi,fcntl,glob,mimetypes,optparse,os,pty,random,re,signal,select,sys,threading,time,termios,struct,pwd,Cookie +from datetime import datetime, timedelta + +try: + from hashlib import sha1 +except ImportError: + import sha + sha1 = sha.new os.chdir(os.path.normpath(os.path.dirname(__file__))) # Optional: Add QWeb in sys path @@ -483,30 +490,61 @@ class AjaxTerm: self.mime['.html']= 'text/html; charset=UTF-8' self.multi = Multiplex(cmd) self.session = {} + self.session_ip = {} + self.sessions_limit = 20 + self.sessions_user_limit = 4 + m = sha1() + m.update(os.urandom(128)) + self.cookie_name = m.hexdigest() def __call__(self, environ, start_response): req = qweb.QWebRequest(environ, start_response,session=None) if req.PATH_INFO.endswith('/u'): + req.response_headers['Content-Type']='text/xml' + uid="" + if self.cookie_name not in req.request_cookies: +req.write('') +return req + uid = req.request_cookies[self.cookie_name].value s=req.REQUEST["s"] k=req.REQUEST["k"] c=req.REQUEST["c"] w=req.REQUEST.int("w") h=req.REQUEST.int("h") - if s in self.session: -term=self.session[s] + ip="unknown" + if environ.has_key("REMOTE_ADDR"): +ip=environ['REMOTE_ADDR'] +if ip == "127.0.0.1" and environ.has_key("HTTP_X_FORWARDED_FOR"): +ip=environ["HTTP_X_FORWARDED_FOR"] + + if (uid+s) in self.session: +term=self.session[uid+s] +req.response_cookies.load(req.request_cookies[self.cookie_name].OutputString()) +req.response_cookies[self.cookie_name]['expires'] = datetime.utcnow()+timedelta(seconds=60) else: if not (w>2 and w<256 and h>2 and h<100): w,h=80,25 -term=self.session[s]=self.multi.create(w,h) +# check if there aren't too many open sessions +if len(self.session) < self.sessions_limit: + count=0 + for i in self.session_ip.keys(): + if self.session_ip[i] == ip: + count+=1 + if count <= self.sessions_user_limit: + term=self.session[uid+s]=self.multi.create(w,h) + self.session_ip[uid+s]=ip + else: + req.write('') + return req if k: self.multi.proc_write(term,k) time.sleep(0.002) dump=self.multi.dump(term,c) - req.response_headers['Content-Type']='text/xml' if isinstance(dump,str): req.write(dump) req.response_gzencode=1 else: -del self.session[s] +del self.session[uid+s] +del self.session_ip[uid+s] req.write('') # print "sessions %r"%self.session else: @@ -515,9 +553,23 @@ class AjaxTerm: req.response_headers['Content-Type'] = self.mime.get(os.path.splitext(n)[1].lower(), 'application/octet-stream') req.write(self.files[n]) else: +if self.cookie_name not in req.request_cookies: +self.genSidCookie(req) req.response_headers['Content-Type'] = 'text/html; charset=UTF-8' req.write(self.files['index']) return req + def genSidCookie(self, req): + m = sha1() + m.update(os.urand
Bug#528938: CVE-2009-1629: generates session IDs with predictable random numbers
2009/10/10 Florian Weimer : > * Raphael Geissert: > >> Cc'ing the stable security team as I would some input from them. As >> mentioned by Florian on IRC there's a bug on some browsers that >> could let other websites predict the sequence of Math.random(). On >> unstable the cryptojs library from stanford could be packaged and >> used to generate a session id with the Fortuna-based PRNG (which is >> of course not shared between websites, therefore safe from the >> Math.random() attacks), > > I think it's impossible to generate random numbers which reasonably > cryptographically strong with pure Javascript code because you lack a > reliable source of entropy. The cryptojs library uses mouse movements (at least) as entropy data, which makes it a very good candidate. The PRNG can not be used until it has enough entropy data, based on its predictor. > > Can't you get the ID from the server instead? > It should be possible, yes, but not without modifying many parts of the code. From the very first time the client connects to the server a session is started. My real concern about ajaxterm is that it somewhat eases the possibility of brute force attacks because none of the policy layers that are designed to prevent remote brute force attacks are applied. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#528938: CVE-2009-1629: generates session IDs with predictable random numbers
* Raphael Geissert: > Cc'ing the stable security team as I would some input from them. As > mentioned by Florian on IRC there's a bug on some browsers that > could let other websites predict the sequence of Math.random(). On > unstable the cryptojs library from stanford could be packaged and > used to generate a session id with the Fortuna-based PRNG (which is > of course not shared between websites, therefore safe from the > Math.random() attacks), I think it's impossible to generate random numbers which reasonably cryptographically strong with pure Javascript code because you lack a reliable source of entropy. Can't you get the ID from the server instead? -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#528938: CVE-2009-1629: generates session IDs with predictable random numbers
tag 528938 patch thanks Hi, Taking a look at this long standing security and RC bug, attached is my proposed patch for the sid issue. A 255^255 session id should be good enough. Cc'ing the stable security team as I would some input from them. As mentioned by Florian on IRC there's a bug on some browsers that could let other websites predict the sequence of Math.random(). On unstable the cryptojs library from stanford could be packaged and used to generate a session id with the Fortuna-based PRNG (which is of course not shared between websites, therefore safe from the Math.random() attacks), but that can't be done on neither stable nor oldstable. And FWIW, I think that a larger and more random sid is better than the week and poor currently being generated. The patch needs some testing (mostly on the per-user sessions limit part), though. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net diff -urpN ajaxterm-0.10-4.orig/ajaxterm.js ajaxterm-0.10-4/ajaxterm.js --- ajaxterm-0.10-4.orig/ajaxterm.js 2006-10-28 21:52:39.0 -0500 +++ ajaxterm-0.10-4/ajaxterm.js 2009-10-09 11:42:33.0 -0500 @@ -3,7 +3,23 @@ ajaxterm.Terminal_ctor=function(id,width var ie=0; if(window.ActiveXObject) ie=1; - var sid=""+Math.round(Math.random()*10); + var sid=""; + + for (var i=0; i < 255; i++) { + var r = 0; + // now get a random number between 0 and 255 + // numbers not in the range are intentionally discarded + // as it reduces the chance of predicting the seed, by not + // using all of the numbers generated by the PRNG + do { + r = Math.round(Math.random()*1000); + } while(r >= 255); + r = r.toString(16); + if (r.length == 1) + r = "0"+r; + sid += "%" + r; + } + var query0="s="+sid+"&w="+width+"&h="+height; var query1=query0+"&c=1&k="; var buf=""; diff -urpN ajaxterm-0.10-4.orig/ajaxterm.py ajaxterm-0.10-4/ajaxterm.py --- ajaxterm-0.10-4.orig/ajaxterm.py 2006-10-28 21:52:39.0 -0500 +++ ajaxterm-0.10-4/ajaxterm.py 2009-10-09 14:34:35.0 -0500 @@ -483,6 +483,9 @@ class AjaxTerm: self.mime['.html']= 'text/html; charset=UTF-8' self.multi = Multiplex(cmd) self.session = {} + self.session_ip = {} + self.sessions_limit = 20 + self.sessions_user_limit = 2 def __call__(self, environ, start_response): req = qweb.QWebRequest(environ, start_response,session=None) if req.PATH_INFO.endswith('/u'): @@ -491,12 +494,23 @@ class AjaxTerm: c=req.REQUEST["c"] w=req.REQUEST.int("w") h=req.REQUEST.int("h") + ip="unknown" + if environ.has_key("REMOTE_ADDR"): +ip=environ["REMOTE_ADDR"] if s in self.session: term=self.session[s] else: if not (w>2 and w<256 and h>2 and h<100): w,h=80,25 -term=self.session[s]=self.multi.create(w,h) +# check if there aren't too many open sessions +if len(self.session) < self.sessions_limit: + count=0 + for i in self.session_ip.keys(): + if self.session_ip[i] == ip: + count+=1 + if count <= self.sessions_user_limit: + term=self.session[s]=self.multi.create(w,h) + self.session_ip[s]=ip if k: self.multi.proc_write(term,k) time.sleep(0.002) @@ -507,6 +521,7 @@ class AjaxTerm: req.response_gzencode=1 else: del self.session[s] +del self.session_ip[s] req.write('') # print "sessions %r"%self.session else:
Processed: Re: Bug#528938: CVE-2009-1629: generates session IDs with predictable random numbers
Processing commands for cont...@bugs.debian.org: > tag 528938 patch Bug #528938 [ajaxterm] CVE-2009-1629: generates session IDs with predictable random numbers Added tag(s) patch. > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#528938: CVE-2009-1629: generates session IDs with predictable random numbers
Package: ajaxterm Version: 0.10-4 Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for ajaxterm. CVE-2009-1629[0]: | ajaxterm.js in AjaxTerm 0.10 and earlier generates session IDs with | predictable random numbers based on certain JavaScript functions, | which makes it easier for remote attackers to (1) hijack a session or | (2) cause a denial of service (session ID exhaustion) via a | brute-force attack. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1629 http://security-tracker.debian.net/tracker/CVE-2009-1629 Cheers, Giuseppe. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkoO0y0ACgkQNxpp46476ap5kQCghMAQafc46v0qdvjymQs/2G8p jZcAoI7a4mTbI3QBpyrx88Qlr9z9ojLG =hk2D -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org