Monday, November 26, 2007

Technical explanation for failure of Orkut cookie exploits
Why I am writing this...
Hi all. For the past few days and weeks I was studying about orkut cookie exploits and the familiar javascripts which when pasted in browser steal the cookie. Although I believe orkut is safe as of now, unless someone comes up with a new technique to bypass the new security feature. I believe these tricks used to work till August 2007,even somewhere somehow near in May 2007 I found my cookie being transferred to an anonymous account on orkut.
That sob deleted my 15 scraps. Perhaps I used some flooding script without understanding the content. I didn’t know much about cookies at that time. Anyways these tricks dont work now. because even if you type alert(document.cookie) in your browser URL, you get some cookie values but not the admired one called orkut_state. I studied a few interesting things and thought of sharing some useful info. The basic intent is to make normal users understand the dangers of cookie stealing, how to avoid that, and what orkut is doing to prevent cookie theft.

Yummy!!! I luv your cookie..........

This is an introductory tutorial for those who dont know about cookie stealing and the science behind that and also for those who would like to know how it used to work and why it doesnt work now. Now if you dont know what a cookie is then read the next few lines. Whenever you login into orkut with your account and password, orkut gives you a cookie which stores some information about your session. It means for all the further requests that you make to orkut you dont need to give that username/password everytime, you just send the cookie that orkut gave you in the beginning. In this way orkut keeps a track of its legitimate users. When you log out, orkut destroys this cookie so that no one can access your account unless he/she provides your username/password and gets a new cookie valid for that session.Imagine if somehow some bad person like me gets hold of your cookie. Now I can send orkut your cookie to orkut and orkut will think its you who has requested a page and not the bad person. The result is simple to understand: even if I dont know your username/password still I can still login into your account and do whatever shit I want to, provided that I have your cookie.

A typical scenario which used to occur some time back on orkut: someone sends you a javascript and says that run this after pasting in your browser URL to see "cool effects". Never run that unless you understand Javascript and you what what exactly it is going to do. It may contain a hidden malicious code which can transfer your cookies to the attacker. This is not only for orkut but also for any other site. A more dangerous exploit was in circulation in late 2006, due to an XSS bug in orkut whose sole intent was to steal cookies, and transfer the ownership of the community. As a result some big communities were hacked. And people used to ask, how to get their communities back.

How to see a cookie.............

You can see the cookies of any other site by opening that site, and typing javascript:alert(document.cookie) in the browser. The sites store some additional cookies if log in with a userid and password to track that you are an authenticated user. You can also see all the cookies stored in Internet explorer in "C:\Documents and Settings\Administrator\Cookies" and in Firefox "C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xxxxxxx.default\cookies.txt".

Muhahahaha....So how can I hack her account....

I know most of the evil minds must be jumping right now thinking about how to get the cookies of their girlfrnd. And girlfrnds, dump these guys if you know their malicious intents...lol...So malicious Dude..you cannot do it now as orkut has already taken care of your malicious intents. :D So now if you want to see your orkut cookie you can type "javascript:alert(document.cookie)" without quotes in the URL of your browser where orkut page is already loaded. After you hit enter you will see an alert box showing you some values. This is the information stored in your cookie.(_utma,_utmb,_utmc,_utmz,TZ) But wait, the interesting part is yet to come. What you see is not the complete cookie.
The precious orkut_state cookie is missing.


Orkut_state ...Hmmm

Out of the six cookies on your computer stored by orkut, (_utma,_utmb,_utmc,_utmz,TZ, orkut_state) orkut_state is responsible for the identification of the user. Well orkut_state is the cookie which is destroyed when you log out from orkut. Unfortunately this cookie remains active on the orkut server for around 14 days. That is if someone got your orkut_state using malicious javascript or else then he/she can login in to your account on orkut. Earlier the orkut_state cookie captured by an attacker would be stored using cookie editor in the attacker's browser (typically mozilla) and saved. After that the attacker goes for www.orkut.com/Home.aspx and voilla!! He is in
the home of the victim.


HttpOnly....TechnoShit!!!!

Orkut seems to be getting intelligent in terms of handling cookies. Now with the new security feature added, Even if you manage to run a javascript in the victim's browser you dont get orkut_state value. How this happened?? Well this is the new cookie protection of orkut for saving its innocent users from prying eyes. Although its not like orkut has stopped the use of orkut_state, if you use Firefox you can use an add-on called cookie editor. From the cookie editor you can see all the cookies that orkut has stored on your computer. If you are logged into orkut you can see 6 cookie values (the sixth and the important one being orkut_state) in the cookie editor. So how this 6th cookie became invisible to our javascript? The answer came after understanding the headers exchanged between my browser and orkut.com when I was logging in.
For this you will require another userful addon for Firefox called "Live http hearders". During logging in and capturing the headers, I got two useful headers where the orkut cookies can be seen. After google successful authentication you are redirected to orkut where orkut sets its own cookies.

==========================================================================
GET /RedirLogin.aspx?msg=0&auth=DQAAAHUAAADgfXp8G6ymWC35cNERFjIJD0ITpC9mLiofGy1ur0I6
jkeSdIgZQR9hth2wHVecjHstHm5wUfl_g4-Gji-6MmglgCnf3fp_e1pc3GiWS4G0x1tFh5O8NGnpAdzWH
zCJDiIEHfOCCqMDlXdT8XxIOezFc2UYQkaY-70L-l2Iqb_-ng HTTP/1.1
Host: www.orkut.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 (CK-IBM) Firefox/2.0.0.9
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: __utmb=85909575.0; __utma=85909575.458437098.1194587408.1194587408.1194587408.1; __utmz=85909575.1194587408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=85909575.0; TZ=-330
========================================================================


Although in the previous headers surprisingly there was no orkut_state, and it became very clear why, after watching the next header.


========================================================================
HTTP/1.x 302 Moved Temporarily
Cache-Control: no-cache, must-revalidate, no-cache="Set-Cookie", private
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Set-Cookie: orkut_state=ORKUTPREF=ID=XXXXXXXXXXXXXXXXXXX:INF=0:SET=111236588:LNG=1:
CNT=16:RM=0:USR=Z2VudHVpX3NvcGthQXXXXGlmZm1haWwuY29t:PHS=:TS=1145665351:
LCL=en-US:NET=1:TOS=2147483647:GC=DQAAAHQAAABaeE29AFA9Q2Y4xxxxxLk9vbqGlpxF
3DzzLJgCNWJGyEe_mMzOxxxxx6TK7NpktZYx6KgCsjT6Mbdoz7l-si5z23qknQOqKRQRNLyf5gpnPix
UVrsuJlikrr2o2Gzo-XF-_atZXl9xJRpZRr_FDHZ_i8qow_HgPzhZ4vo4rfg:PE=Z2VudHVpX3NvcGthQH
JlZGlmZm1haWwuY29t:GTI=0:GID=:VER=2:AST=1:SID=0:S=F2oSxzVWAx5wji0y75HyNYSFtq0=:; Domain=www.orkut.com; Path=/; HttpOnly
Set-Cookie: orkut_state=; Domain=.orkut.com; Expires=Thu, 08-Nov-07 06:42:31 GMT; Path=/; HttpOnly
Content-Type: text/html; charset=UTF-8
Location: http://www.orkut.com/Home.aspx?
Content-Encoding: gzip
Content-Length: 179
Server: GFE/1.3
Date: Fri, 09 Nov 2007 06:42:31 GMT
=====================================================================


The five orkut cookies are placed normally, but orkut_state is sent in a seperate header with an additional tag in the name of "HTTPOnly".As we can see the orkut_state content, in the end there is a tag attached called 'HttpOnly'. This is interesting as it wasnt there in previous cookie values. A little googling will tell you that the 'HttpOnly' tag instructs the browser to disallow javascript from accessing the content of this cookie. In fact this is a feature introduced by MicroSoft few years back in Internet Explorer 6 for protection from Cross site scripting attacks. Although there are few techniques by which you can bypass 'HttpOnly' like requesting the
http headers using the TRACE method,
(reference to http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
by Jeremiah Grossman) the TRACE method is aqn HTTP method which is generally used for debugging purpose. If a client sends a TRACE request to a web server and the webserver supports TRACE requests, then it echoes back the header sent by the client. In a typical XSS scenario, the attacker may send a link to the user of vulnerable site,(that supports TRACE method and uses HttpOnly protection for cookies) which when clicked may send a TRACE request to the webserver and the echoed response by the webserver can be captured by the attacker. Fortunately they not possible in case of Orkut as of now for two good reasons.

1.Most of the browsers like the popular ones Firefox and IE donot support TRACE for obvious security reasons.(Though it was possible earlier for IE)
2.Orkut does not entertain a TRACE request at all.

The following functions can explain this:
For Firefox:

javascript:var xll;function load(url){xll=new XMLHttpRequest();xll.open("TRACE",url,false); xll.send(null);
var doc=xll.responseText;alert(doc);}load('http://www.orkut.com/');

For IE:

javascript:var xll;function load(url){xll=new ActiveXObject("Microsoft.XMLHTTP"); xll.open("TRACE",url,false);xll.send(null);var doc=xll.responseText;alert(doc);} load('http://www.orkut.com/');

Its not a surprise that nothing will happen when you paste them in URL and test. Ensure that orkut is already open in the browser because no browser allows cross domain AJAX requests for obvious security reasons. After hitting enter, For IE at the bottom of page you see "Error on page" and for Firefox (If you have installed FireBug it will clearly show an exception marked read.

"uncaught exception: [Exception... "Component returned failure code: 0x80070057
(NS_ERROR_ILLEGAL_VALUE) [nsIXMLHttpRequest.open]" nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)" location: "JS frame :: javascript: eval(__firebugTemp__); :: anonymous :: line 1" data: no]")

You can change the TRACE with GET and see the alert box popping out the content.
Though this may not work with orkut but still there are many webservers which allow TRACE requests by default. And if somehow the browser can be tricked into sending the TRACE request, combined with an XSS flaw, it can have a devastating effect on the vulnerable site's users. It just a theoretical idea, not an actual threat.

So as of now your orkut cookies seem to be safe. There were some ideas to test with the TRACE method but they werent looking much exciting. You can read the below mentioned articles which I studied. And a list of Firefox addons that are very helpful for analysing and debugging. The list is a long one and I have stated only those which I used now.

Date:23 Nov 2007
Aditya Lad.

References:
http://www.webappsec.org/lists/websecurity/archive/2006-01/msg00056.html
http://www.cgisecurity.com/lib/XmlHTTPRequest.shtml
http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.w3schools.com/ajax/default.asp

Useful Firefox addons:
Cookie editor : https://addons.mozilla.org/en-US/firefox/addon/573
Live HTTP Headers : https://addons.mozilla.org/en-US/firefox/addon/3829
FireBug: https://addons.mozilla.org/en-US/firefox/addon/1843