Stealing Cookies with SSL Renegotiation
Posted by Tom Cross on November 12, 2009 at 9:23 AM EST.
In my previous blog post on the SSL Renegotiation vulnerability I mentioned that in addition to launching attacks that are equivelent to CSRF, the attacker could manipulate post variables (as well as other aspects of the request). I characterized these attacks as application specific and esoteric. Unfortunately, the situation is worse than I thought, as Anıl Kurmuş pointed out in a post to Full Disclosure.
If a web application allows users store or transmit arbitrary data from a post request to a location where the user can later retrieve it, an attacker can prefix the victim's entire HTTP request as a post, and then read it back out, gaining access to sensitive information in the process, such as cookies or other authentication credentials. In Mr. Kurmuş's example he uses this technique to post a victim's Twitter request to his own Twitter feed, gaining acccess to the victim's password.
Obviously, a great many web applications allow users to store or transmit arbitrary data. The most obvious examples are web mail applications - the attacker could essentially email himself a copy of the victim's cookie. Webmail credentials are a popular target on insecure wireless lans.
There may also be other interesting angles on this vulnerability that are discovered in the future, and of course, HTTPS is not the only protocol that uses SSL.
Fortunately a version of OpenSSL (0.9.8l) is available which disables renegotiation, which is appropriate for most applications. According to Mr. Kurmuş, Twitter seems to have already applied it. Have you?