oss-sec mailing list archives
Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack
From: "Alexander E. Patrakov" <patrakov () gmail com>
Date: Thu, 19 Dec 2019 00:33:59 +0500
On Wed, Dec 18, 2019 at 11:17 PM Aaron Patterson <aaron.patterson () gmail com> wrote:
There is a possible information leak / session hijacking vulnerability in Rack. This vulnerability has been assigned the CVE identifier CVE-2019-16782. Versions Affected: All. Not affected: None. Fixed Versions: 1.6.12, 2.0.8 There's a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.
I don't understand why this is reported as something Rack-specific. If I read the patch correctly (which is improbable, as I don't know Ruby at all), the idea is: 1. The attacker could send various bogus session ids, starting with all possible valid bytes. The database, if it uses a trie (yes, strawman example - is it used by any real-world database?) as a data structure to speed up looking up sessions, will terminate the comparison early on invalid bytes, thus disclosing them. 2. Given one valid byte of a session id, the attacker tries to extend it using the same procedure. 3. At the end, the attacker will get a full session ID. The patch works by making the thing stored in the database as a key not the session ID in the cookie, but a hash of it. Therefore, step 2 fails, as it is computationally hard to find something with a given prefix. On the other hand, I don't see how a timing attack would be possible on the most common data structures (B-Tree and Hash) used for database indexes. -- Alexander E. Patrakov
Current thread:
- [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack Aaron Patterson (Dec 18)
- Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack Alexander E. Patrakov (Dec 18)
- Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack Stuart D. Gathman (Dec 19)
- Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack Alexander E. Patrakov (Dec 18)