lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <34E288F7-1796-49C6-9E85-26546F98DE18@packetninjas.net>
Date: Tue, 17 May 2011 17:49:15 -0500
From: Daniel Clemens <daniel.clemens@...ketninjas.net>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: CVE-2010-0217 - Zeacom Chat Server JSESSIONID weak SessionID Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                        Packetninjas L.L.C
                       www.packetninjas.net

                    -= Security  Advisory =-

    Advisory:  Zeacom Chat Server JSESSIONID weak SessionID Vulnerability
Release Date:  unknown
Last Modified: 09/27/2010
      Author: Daniel Clemens [daniel.clemens[at]packetninjas.net]

 Application: Zeacom Chat Application <= 5.0 SP4
    Severity: 
    
	Usage of weak Weak Session management exists within the Zeacom web-chat application 
	enabling the bruteforce of the sessionid which can enable the hijacking of anothers chat session. 
	The Zeacom application handles new sessions through a 10 character string (JSESSIONID), 
	resulting in an effective 9 bit entropy level for session management. The end result of an 
	attack would enable an attacker to hijack a session where private information is revealed 
	within a chat session or a denial of service within the application server resulting in 
	a complete crash of the application server. (Tomcat)
	
	In most scenarios the application would crash locking the application server. 

        Risk:  Medium
Vendor Status: Zeacom 
Vulnerability Reference:  CVE-2010-0217

http://www.packetninjas.net/storage/advisories/Zeacom-CVE-2010-0217.txt

Overview:
 Information provided from http://www.zeacom.com

 "Zeacom is a leading provider of advanced Unified Communications solutions that integrate
  real-time communication tools such as presence information, contact routing, conferencing,
  chat and speech recognition with conventional tools such as voicemail, email and fax."

 During evaluation of a blackbox application assessment routine 
 application security checks were performed to test the strength of session 
 management within the Zeacom Chat application. 
  
 The Zeacom application handles new sessions through a 10 character string which
 is a part of the JSESSIONID, which results in an effective 9 bit entropy level
 for session management. 

Proof of Concept:

By looking at the JSESSIONID, one is able to determine that it is trivial to brute force the session
id (JSESSIONID) space.

Disclosure Timeline:
 April 1st,  2010 - Initial Contact with Zeacom.
 April 6th,  2010 - Zeacom acknowledges the receipt of the initial communication. 
 April 20th, 2010 - Zeacom acknowledges that the version of Zeacom Chat server affected is <= 5.0 SP4.
		  		  - Zeacom also states that they will not be issuing a patch for customers running <= 5.0SP4
		  		    but will be moving clients to their new 5.1 release. 
				
Recommendation:

 - It is recommended to upgrade to the latest version of Zeacom Chat Server. (Version 5.1 or greater)


CVE Information:  CVE-2010-0217

| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850      | | o. 866.267.8851 
"Moments of sorrow are moments of sobriety"











-----BEGIN PGP SIGNATURE-----

iD8DBQFN0vtvlZy1vkUrR4MRAjx3AJ9k6Kj3Ih3LVjabVQE0E+DerZeG0wCfY0dI
lKUHztAtnNG6FH4ZphEl7Wc=
=aw+L
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ