On the session fixation vulnerability - what do the logs look like?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear all,

would it be possible to see an example of the logs produced by RT
subjected to the session fixation vulnerability?

I have a very bizarre event in the RT I manage which took place
approximately 2 hrs after the security alert went out to the lists and
I cannot explain away. It looks like this (RT 3.0.12):

192.168.X.Y - - [01/Dec/2009:18:21:56 +0000] “GET /rt/NoAuth/webrt.css
HTTP/1.1” 200 6944
192.168.X.Y - - [01/Dec/2009:18:21:58 +0000] “GET /rt/Ticket/
Display.html?id=41114 HTTP/1.1” 200 56794
192.168.X.Y - - [01/Dec/2009:18:22:05 +0000] “GET /rt/NoAuth/webrt.css
HTTP/1.1” 200 6944
192.168.X.Y - - [01/Dec/2009:18:22:06 +0000] "GET /rt/Ticket/
Update.html?id=41114&QuoteTransaction=293515&Action=Respond HTTP/1.1"
200 14338
192.168.X.Y - - [01/Dec/2009:18:24:21 +0000] “GET /rt/NoAuth/webrt.css
HTTP/1.1” 200 6944
192.168.X.Y - - [01/Dec/2009:18:24:23 +0000] “POST /rt/Ticket/
Update.html HTTP/1.1” 200 23431

which correlates with:

[Tue Dec 1 18:24:20 2009] [crit]: RT::Attachment->Create couldn’t, as
you didn’
t specify a transaction (/usr/share/request-tracker3/lib/RT/
Attachment_Overlay.pm:117)
[Tue Dec 1 18:24:20 2009] [crit]: Trying to check RT::Ticket rights
for an unspecified RT::Ticket (/usr/share/request-tracker3/lib/RT/
Principal_Overlay.pm:355)
[Tue Dec 1 18:24:20 2009] [err]: RT::Ticket=HASH(0xa0726b8) couldn’t
init a transaction Transaction Created (/usr/share/request-tracker3/
lib/RT/Ticket_Overlay.pm:2334)

I’ve trawled through the past year of logs and we’ve never seen these
errors before.

The database log shows no transaction for the same time period (note
hole between 16:24:55 GMT and 09:24:03 GMT):

  • -[ RECORD 18 ]–
    id | 293515
    effectiveticket | 0
    ticket | 41114
    timetaken | 30
    type | Correspond
    field |
    oldvalue |
    newvalue |
    data | No Subject
    creator | 72707
    created | 2009-12-01 16:24:55
  • -[ RECORD 19 ]–
    id | 293626
    effectiveticket | 0
    ticket | 41114
    timetaken | 0
    type | Comment
    field |
    oldvalue |
    newvalue |
    data | No Subject
    creator | 72707
    created | 2009-12-02 09:24:03

and we did have an outbound e-mail sent by RT:

Dec 1 18:24:20 glan postfix/pickup[14782]: 81A8DC5A6C: uid=33
from=
Dec 1 18:24:20 glan postfix/cleanup[18057]: 81A8DC5A6C:
message-id=rt-3.0.12-41114-.17.9168436955345@rt.X.com
Dec 1 18:24:20 glan postfix/qmgr[19235]: 81A8DC5A6C:
from=www-data@net.X.com, size=925, nrcpt=10 (queue active)
Dec 1 18:24:20 glan postfix/pickup[14782]: BEF8CC5A6F: uid=33
from=
Dec 1 18:24:20 glan postfix/cleanup[18057]: BEF8CC5A6F:
message-id=rt-3.0.12-41114-.18.8098731560421@rt.X.com
Dec 1 18:24:20 glan postfix/qmgr[19235]: BEF8CC5A6F:
from=www-data@net.X.com, size=838, nrcpt=1 (queue active)
Dec 1 18:24:21 glan postfix/smtp[18062]: BEF8CC5A6F:
to=xxxxxx@X.com,
relay=mailrelay.net.X.com[192.168.160.3], delay=1, status=sent
(250 2.0.0 nB1IOK1r004792 Message accepte
Wed for delivery)
Dec 1 18:24:21 glan postfix/qmgr[19235]: BEF8CC5A6F: removed
Dec 1 18:24:25 glan postfix/smtp[18059]: 81A8DC5A6C:
to=yyyyyy@X.com,
relay=mailrelay.net.X.com[192.168.160.2], delay=5, status=sent
(250 2.0.0 nB1IOKOH031556 Message accepted for delivery)

[all other ticket watchers follow]

Dec 1 18:24:25 glan postfix/qmgr[19235]: 81A8DC5A6C: removed

and the message looks like this:

<URL: http://rt.X.com/rt/Ticket/Display.html?id=41114 >

This transaction appears to have no content

  • — 8< cut here 8< —

Any suggestions gratefully received…

Arrigo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAksWSZ8ACgkQDbQ6TQLMoL+JfACfdJyZxwtAqskd0lmzDnKHNFpz
VfQAni4tghvjNyqS2AafozUorVtfS4cl
=VPC+
-----END PGP SIGNATURE-----

Arrigo,

What you’d see if you were attacked using the vulnerability we announced
patches for would…not necessarily be distinguishable from regular
traffic to your RT server. Though you would see the malicious user’s
IP in your logs. I think you hit a case where something went wrong with
transaction creation, possibly related to the file someone was trying to
attach.

It looks like a bug. But it doesn’t look like you were attacked.

Best,
Jesse

signature.asc (197 Bytes)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jesse,On Dec 2, 2009, at 16:45, Jesse Vincent wrote:

It looks like a bug. But it doesn’t look like you were attacked.

OK, I’ll file it under “bizarre bug”… one day we’ll find the courage
to upgrade to 3.8…

Thanks for taking the time to clarify,

Arrigo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAksWmCUACgkQDbQ6TQLMoL9GSQCfU0LKTWoa7d+sBO4dzm+0YzJ9
HS4Anj0oDCmIcXnWWdnMI+WfO3lUCnWw
=LoVk
-----END PGP SIGNATURE-----