lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 15 Jul 2007 02:41:50 -0700 (PDT)
From: Joseph Hick <leet16y@...oo.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Google/Orkut Session Expiry PoC - Results

Orkut session remains alive for 14 days after logout.

This is the result of an experiment for
Google Authentication issues posted in the threads...

1.)
http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064143.html
(Orkut Server Side Management Error by Susam Pal &
Vipul Agarwal)

2.)
http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064300.html
(Google Re-authentication Bypass by Susam Pal)

A session was created in Orkut at about Sat Jun 30
20:30 UTC 2007. Between June 30 and yesterday many
have
hijacked this session and logged out many times but
it was last known to be alive at Sat Jul 14 13:09:48
UTC 2007. The cookie for this PoC session has expired
today Sun Jul 15.

The session cookie for this PoC was...

Name: orkut_state
Cookie:
ORKUTPREF=ID=11190574376736842125:INF=0:SET=111236436:LNG=1:CNT=0:RM=0:USR=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:PHS=:TS=1183210062:LCL=en-US:NET=1:TOS=1:GC=DQAAAIMAAAArC-mJYqsrCOnv8uVQHdFUccRFQX8-ibRerEzrie5sOWNc06zs4z4fMNpovLUyRcNXHwxk8WzY6Z6SmvxcSmL1hAW4Mrdvazzkssq5VjSO70oE1HSFR4KOkSb3ZLg-U7k0x8c7ZuLHwu_qY2Umy8oobckg9UctWXYd1qoerXUTzsFSuLNXHdiAEVCSw7fUO00:PE=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:GTI=0:GID=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:VER=2:S=1Ah7VcA0JetHQ0Mgyfp4Jb6meXw=:
Domain: .www.orkut.com
Path: /
Send for: Any type of session
Expires: Expire at end of session

The issue still exists. A new session cookie to prove
this....

Cookie:
ORKUTPREF=ID=11190574376736842125:INF=0:SET=111236436:LNG=1:CNT=74:RM=0:USR=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:PHS=:TS=1184466361:LCL=en-US:NET=1:TOS=2147483647:GC=DQAAAIMAAAAKQX59h2RRxR_Yw61n4e8uiJdJJYiMIyZPvgemHnkXJElDem_sI-5AgNzq5ajnMKejwbVnKY9AxWMmrZ67XXuMNcxA3AkJVg39a-tqX5hmgnn6Pnr4lm7ieZzpwLhV-kSrcR8znzq2Wo30jKt22-3Y2ITRt93H7G8gEYMiZ2PWzOWVBlw6z5FwJs8SQaN6noQ:PE=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:GTI=0:GID=:VER=2:S=Z/6WJuS/q/cRlYLO8DgaEla9PqM=:
Other details as old cookie.

Conclusion: Hijacked session can be used for 14 days
by the hijacker because logging out does not kill the session.


 
____________________________________________________________________________________
The fish are biting. 
Get more visitors on your site using Yahoo! Search Marketing.
http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ