CGILua session.lua Predictable Session ID Vulnerability

2014.05.01
Credit: Syhunt
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Syhunt Advisory: CGILua session.lua Predictable Session ID Vulnerability Advisory-ID: 201404301 Discovery Date: 03.27.2014 Release Date: 04.30.2014 Affected Applications: CGILua 5.0.x, CGILua 5.1.x., CGILua 5.2 alpha 1 & CGILua 5.2 alpha 2 Class: Predictable Session ID Status: Unpatched/Vendor informed Vendor: CGILua project Vendor URL: https://github.com/keplerproject/cgilua Advisory URL: http://www.syhunt.com/advisories/?id=cgilua-weaksessionid The Common Vulnerabilities and Exposures (CVE) project has assigned the following CVE to this vulnerability: CVE-2014-2875 ---------------------------------------------------------------- Overview: CGILua is an open source tool for creating dynamic Web pages and manipulating input data from Web forms. It allows the separation of logic and data handling from the generation of pages, making it easy to develop web applications with the Lua programming language. Over the years the tool has been adopted by several organizations worldwide, especially in Brazil where it has been adopted by some high profile organizations. Description: A vulnerability in the session library that ships with CGILua since version 5.0 beta may allow remote attackers to easily and quickly guess valid session IDs generated by a Lua web application and perform session hijacking - for example, gain access to user sessions of various other logged-in users. ---------------------------------------------------------------- Details: CGILua 5.2 alpha, released in 2013, generates weak/insufficiently random session IDs (usually 9-digit long, sometimes shorter), based on OS time. Since an attacker can view the source on GitHub, he knows the generation mechanism. In our attack simulations, we were able to guess valid session IDs extremely quickly through brute-force attacks. CGILua 5.1.x (2007-2010) contains a bug and always generates the same ID. Since this bug is easily noticeable and makes the library unusable, we doubt that the version of the session library included with this release is in production anywhere. CGILua 5.0.x, released in 2004, generates sequential (non-random) 8-digit long session IDs, making guessing even more easy. ---------------------------------------------------------------- Vulnerability Status: The project maintainers were initially contacted at the end of March, 2014. The maintainer Toms Guisasola believes that the session IDs generated by CGILua 5.0 and 5.2 are not insecure in its current form and that enhancing the randomness of the SID would not make it more secure. The maintainer confirmed that the session ID generation in CGILua 5.1 is buggy - always generates the same ID, thus is unusable. Because there is no patch for this vulnerability (the author does not consider it a security risk and is unresponsive) we recommend that users simply do not use CGILua's session.lua library until hopefully there is a patch issued to remedy this. According to the CGILua changelog, the session API was introduced in version 5.0 beta, therefore older versions, like 5.0 alpha, 4.x and before don't include the session.lua library and should not be marked as vulnerable to this particular issue. In case you wish to manually patch the session library, consider using the luuid library, which generates 128-bit random IDs, as part of the fix, or any other Lua library that can generate unique IDs based on high-quality randomness. After patching (either with an official patch or your own patch), it is necessary to remove/invalidate all sessions generated by the old, unpatched code. ---------------------------------------------------------------- Disclosure Timeline: * March 27, 2014 - Emailed the maintainers about the need of hardening CGILua. * April 2, 2014 - No reply. Emailed the maintainer once again. * April 2, 2014 - First maintainer reply (see Vulnerability Status above for details). * April 4, 2014 - Syhunt sends information about recommended SID length and entropy https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Length * April 13, 2014 - Syhunt sends details about its own demonstration tool that is able to guess CGILua session IDs, along with additional comments in a separate email. * April 30, 2014 - No response received to emails sent on April 4 & 13. * April 30, 2014 - Public disclosure. ---------------------------------------------------------------- Credit: Felipe Daragon Syhunt Security Research Team, www.syhunt.com We thank James Mouat, which performed some additional tests, helping with the diagnosis of this issue. ---- Copyright © 2014 Syhunt Security Disclaimer: The information in this advisory is provided "as is" without warranty of any kind. Details provided are strictly for educational and defensive purposes. Syhunt is not liable for any damages caused by direct or indirect use of the information provided by this advisory.

References:

http://www.syhunt.com/advisories/?id=cgilua-weaksessionid
https://github.com/keplerproject/cgilua


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top