CVE-2010-0217 - Zeacom Chat Server JSESSIONID weak SessionID Vul
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Packetninjas L.L.C
www.packetninjas.net
-=3D Security Advisory =3D-
Advisory: Zeacom Chat Server JSESSIONID weak SessionID =
Vulnerability
Release Date: unknown
Last Modified: 09/27/2010
Author: Daniel Clemens [daniel.clemens[at]packetninjas.net]
Application: Zeacom Chat Application <=3D 5.0 SP4
Severity:=20
=20
Usage of weak Weak Session management exists within the Zeacom =
web-chat application=20
enabling the bruteforce of the sessionid which can enable the =
hijacking of anothers chat session.=20
The Zeacom application handles new sessions through a 10 =
character string (JSESSIONID),=20
resulting in an effective 9 bit entropy level for session =
management. The end result of an=20
attack would enable an attacker to hijack a session where =
private information is revealed=20
within a chat session or a denial of service within the =
application server resulting in=20
a complete crash of the application server. (Tomcat)
=09
In most scenarios the application would crash locking the =
application server.=20
Risk: Medium
Vendor Status: Zeacom=20
Vulnerability Reference: CVE-2010-0217
http://www.packetninjas.net/storage/advisories/Zeacom-CVE-2010-0217.txt
Overview:
Information provided from http://www.zeacom.com
"Zeacom is a leading provider of advanced Unified Communications =
solutions that integrate
real-time communication tools such as presence information, contact =
routing, conferencing,
chat and speech recognition with conventional tools such as voicemail, =
email and fax."
During evaluation of a blackbox application assessment routine=20
application security checks were performed to test the strength of =
session=20
management within the Zeacom Chat application.=20
=20
The Zeacom application handles new sessions through a 10 character =
string which
is a part of the JSESSIONID, which results in an effective 9 bit =
entropy level
for session management.=20
Proof of Concept:
By looking at the JSESSIONID, one is able to determine that it is =
trivial to brute force the session
id (JSESSIONID) space.
Disclosure Timeline:
April 1st, 2010 - Initial Contact with Zeacom.
April 6th, 2010 - Zeacom acknowledges the receipt of the initial =
communication.=20
April 20th, 2010 - Zeacom acknowledges that the version of Zeacom Chat =
server affected is <=3D 5.0 SP4.
- Zeacom also states that they will =
not be issuing a patch for customers running <=3D 5.0SP4
but will be moving clients to their =
new 5.1 release.=20
=09
Recommendation:
- It is recommended to upgrade to the latest version of Zeacom Chat =
Server. (Version 5.1 or greater)
CVE Information: CVE-2010-0217
| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850 | | o. 866.267.8851=20
"Moments of sorrow are moments of sobriety"
-----BEGIN PGP SIGNATURE-----
iD8DBQFN0vtvlZy1vkUrR4MRAjx3AJ9k6Kj3Ih3LVjabVQE0E+DerZeG0wCfY0dI
lKUHztAtnNG6FH4ZphEl7Wc=3D
=3Daw+L
-----END PGP SIGNATURE-----