[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2010-0217 - Zeacom Chat Server JSESSIONID weak SessionID Vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                        Packetninjas L.L.C
                       www.packetninjas.net

                    -= Security  Advisory =-

    Advisory:  Zeacom Chat Server JSESSIONID weak SessionID Vulnerability
Release Date:  unknown
Last Modified: 09/27/2010
      Author: Daniel Clemens [daniel.clemens[at]packetninjas.net]

 Application: Zeacom Chat Application <= 5.0 SP4
    Severity: 
    
        Usage of weak Weak Session management exists within the Zeacom web-chat 
application 
        enabling the bruteforce of the sessionid which can enable the hijacking 
of anothers chat session. 
        The Zeacom application handles new sessions through a 10 character 
string (JSESSIONID), 
        resulting in an effective 9 bit entropy level for session management. 
The end result of an 
        attack would enable an attacker to hijack a session where private 
information is revealed 
        within a chat session or a denial of service within the application 
server resulting in 
        a complete crash of the application server. (Tomcat)
        
        In most scenarios the application would crash locking the application 
server. 

        Risk:  Medium
Vendor Status: Zeacom 
Vulnerability Reference:  CVE-2010-0217

http://www.packetninjas.net/storage/advisories/Zeacom-CVE-2010-0217.txt

Overview:
 Information provided from http://www.zeacom.com

 "Zeacom is a leading provider of advanced Unified Communications solutions 
that integrate
  real-time communication tools such as presence information, contact routing, 
conferencing,
  chat and speech recognition with conventional tools such as voicemail, email 
and fax."

 During evaluation of a blackbox application assessment routine 
 application security checks were performed to test the strength of session 
 management within the Zeacom Chat application. 
  
 The Zeacom application handles new sessions through a 10 character string which
 is a part of the JSESSIONID, which results in an effective 9 bit entropy level
 for session management. 

Proof of Concept:

By looking at the JSESSIONID, one is able to determine that it is trivial to 
brute force the session
id (JSESSIONID) space.

Disclosure Timeline:
 April 1st,  2010 - Initial Contact with Zeacom.
 April 6th,  2010 - Zeacom acknowledges the receipt of the initial 
communication. 
 April 20th, 2010 - Zeacom acknowledges that the version of Zeacom Chat server 
affected is <= 5.0 SP4.
                                  - Zeacom also states that they will not be 
issuing a patch for customers running <= 5.0SP4
                                    but will be moving clients to their new 5.1 
release. 
                                
Recommendation:

 - It is recommended to upgrade to the latest version of Zeacom Chat Server. 
(Version 5.1 or greater)


CVE Information:  CVE-2010-0217

| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850      | | o. 866.267.8851 
"Moments of sorrow are moments of sobriety"











-----BEGIN PGP SIGNATURE-----

iD8DBQFN0vtvlZy1vkUrR4MRAjx3AJ9k6Kj3Ih3LVjabVQE0E+DerZeG0wCfY0dI
lKUHztAtnNG6FH4ZphEl7Wc=
=aw+L
-----END PGP SIGNATURE-----