CVE-2012-6494 - Nexpose Security Console - Session Hijacking
Product: Nexpose Security Console
Vendor: Rapid7
Version: < 5.5.3
Tested Version: 5.5.1
Vendor Notified Date: December 19, 2012
Release Date: January 2, 2013
Risk: Medium
Authentication: Access to logs required.
Remote: Yes
Description:
Due to a flaw in the way the Nexpose Security Console logs session data,=20
it is possible to capture the session of a logged in user.
This could be especially interesting when using a central logging system=20
and system admin have access to logs but not the security console.
In capturing a user=92s session as shown in the proof-of-concept below, a=
n=20
attacker can gain access to the already logged in account. Once the=20
attacker has this information, they can then hijack the established=20
session and impersonate the owner in a variety of contexts.
Exploit steps for proof-of-concept:
1. Nexpose admin logs in.
2. While monitoring auth.log, the =93Registered session=94 value is captu=
red.
3. A request to the security console is made and intercepted using a prox=
y.
4. =91JSESSIONID=3D<session>=92 is replaced by=20
=91nexposeCCSessionID=3D<SESSION-CAPTURED-IN-STEP-2>;time-zone-offset=3D0=
00.
5. Success.
Vendor Notified: Yes
Vendor Response: Quickly escalated and resolved.
Vendor Update: Remediated in 5.5.4.
Reference:
CVE-2012-6494
https://community.rapid7.com/docs/DOC-2065#release5
https://www.owasp.org/index.php/Session_hijacking_attack
Credit:
Robert Gilbert
HALOCK Security Labs