[Full-disclosure] Exploiting sibling domains cookie isolation policy to DoS CDN users
Hello, In short: Browsers can be easily cut from any resources hosted on Content Delivery Networks that use a domain shared between users, by a visit to a malicious site that sets large number of cookies on the common prefix of the CDN domain. For example, an HTML document on 'foo.rackcdn.com' (visited directly or iframed) can set large number of large cookies with a domain attribute set to 'rackcdn.com'. This prevents the browser from accessing any content on '*.rackcdn.com'. A single site can target multiple CDNs at once. More detailed writeup: http://mixedbit.org/blog/2013/04/11/dos_attack_on_cdn_users.html Best regards, Jan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting sibling domains cookie isolation policy to DoS CDN users
On Thu, Apr 11, 2013 at 6:32 PM, Michal Zalewski lcam...@coredump.cx wrote: This is fairly well-known, I think; for example, there's a mention of this here (search for appspot.com): http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html Yes, the idea of such DoS technique is not new, but I've never seen it discussed in a context of CDNs. The impact of the attack against blogging platform is limited compared to the impact of the attack against a popular CDN that many sites depend on. Yet, blogspot.com is on the Public Suffix List, but no CDNs are there (excluding Amazon's that was recently added). And CDNs are much easier to protect than applications like Blogger, you don't need to redesign authentication mechanism, the suffix domain is already cookieless. So I think it is worth writing about the issue to encourage more CDN providers to add their domains to the PSL. BTW. I've added a link to your post. Thanks, Jan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting sibling domains cookie isolation policy to DoS CDN users
On Thu, Apr 11, 2013 at 6:05 PM, Jann Horn j...@thejh.net wrote: On Thu, Apr 11, 2013 at 05:01:57PM +0200, Jan Wrobel wrote: [...] CDNs could mitigate this by, instead of resetting connections with lots of headers, just reading all the cookies and throwing them into the bit bucket instead of keeping them in RAM, right? That way, there would still be the wasted bandwidth, but combined with the Google approach, it should work fine, right? If the client sends too many headers, just ignore everything until you reach \n\n, then send back the error script? In my view a cookie reseting script is rather a last resort defense, not a reliable mechanism to dependent upon. Sites that include resources from a CDN rarely serve main or iframed HTML documents from the CDN origin and this is required for the reseting script to work. If such script was returned when a browser is expecting script, img, css or other non-html sub-resource, it would not work. Jan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Using HTTP referer for phishing attacks
Hi, Sorry if this is not new, but I didn't manage to find any mention of such a technique. In short: HTTP referer field contains information where the web user is coming from, which is often a trusted site such as a web search. Having such information, a malicious web site can use several tricks to fool the user into thinking that he or she returned to the referring site. In fact, the user is taken to a generic phishing site that intercepts all data exchanged between the user, the referring site and sites visited from the referring site. More detailed write up with few examples is here: http://mixedbit.org/referer.html Cheers, Jan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Reflection Scan: an Off-Path Attack on TCP
Hi, This TCP session hijacking technique might be of interest to some of you. Abstract: The paper demonstrates how traffic load of a shared packet queue can be exploited as a side channel through which protected information leaks to an off-path attacker. The attacker sends to a victim a sequence of identical spoofed segments. The victim responds to each segment in the sequence (the sequence is reflected by the victim) if the segments satisfy a certain condition tested by the attacker. The responses do not reach the attacker directly, but induce extra load on a routing queue shared between the victim and the attacker. Increased processing time of packets traversing the queue reveal that the tested condition was true. The paper concentrates on the TCP, but the approach is generic and can be effective against other protocols that allow to construct requests which are conditionally answered by the victim. A proof of concept was created to asses applicability of the method in real-life scenarios. The paper in ps and pdf is available at http://mixedbit.org and http://arxiv.org/abs/1201.2074 Proof of concept: https://github.com/wrr/reflection_scan Thanks, Jan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)
On Thu, 29 Mar 2007, Alexander Sotirov wrote: Today Microsoft released a security advisory about a vulnerability in the Animated Cursor processing code in Windows: http://www.microsoft.com/technet/security/advisory/935423.mspx It seems like the vulnerability is already exploited in the wild: http://asert.arbornetworks.com/2007/03/any-ani-file-could-infect-you/ Bleeding Edge Threats made available Snort rule that detects some (all?) exploits using this vulnerability: http://www.bleedingthreats.net/index.php/2007/03/30/ms-ani-exploit-rule-details-emerging/ I don't know if this rule detects all possible exploits or just one particular type. Here is a Firekeeper version of the rule, which can be used to detect sites hosting malicious files: alert (msg:BLEEDING-EDGE CURRENT EVENTS MS ANI exploit; body_content:|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 52|; reference:url,http://isc.sans.org/diary.html?storyid=2534; reference:url,http://www.avertlabs.com/research/blog/?p=233; reference:url,doc.bleedingthreats.net/2003519; fid:2003519; rev:1;) Rule is triggered for example by the following images: http://www.i5460.net/admin12/2.jpg http://www.i5460.net/admin12/1.jpg Cheers, Jan Wrobel http://firekeeper.mozdev.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
