-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Packetninjas L.L.C
www.packetninjas.net
-= Security Advisory =-
Advisory: Zeacom Chat Server JSESSIONID weak SessionID Vulnerability
Release Date: unknown
Last Modified: 09/27/2010
Author: Daniel Clemens [daniel.clemens[at]packetninjas.net]
Application: Zeacom Chat Application <= 5.0 SP4
Severity:
Usage of weak Weak Session management exists within the Zeacom web-chat application
enabling the bruteforce of the sessionid which can enable the hijacking of anothers chat session.
The Zeacom application handles new sessions through a 10 character string (JSESSIONID),
resulting in an effective 9 bit entropy level for session management. The end result of an
attack would enable an attacker to hijack a session where private information is revealed
within a chat session or a denial of service within the application server resulting in
a complete crash of the application server. (Tomcat)
In most scenarios the application would crash locking the application server.
Risk: Medium
Vendor Status: Zeacom
Vulnerability Reference: CVE-2010-0217
http://www.packetninjas.net/storage/advisories/Zeacom-CVE-2010-0217.txt
Overview:
Information provided from http://www.zeacom.com
"Zeacom is a leading provider of advanced Unified Communications solutions that integrate
real-time communication tools such as presence information, contact routing, conferencing,
chat and speech recognition with conventional tools such as voicemail, email and fax."
During evaluation of a blackbox application assessment routine
application security checks were performed to test the strength of session
management within the Zeacom Chat application.
The Zeacom application handles new sessions through a 10 character string which
is a part of the JSESSIONID, which results in an effective 9 bit entropy level
for session management.
Proof of Concept:
By looking at the JSESSIONID, one is able to determine that it is trivial to brute force the session
id (JSESSIONID) space.
Disclosure Timeline:
April 1st, 2010 - Initial Contact with Zeacom.
April 6th, 2010 - Zeacom acknowledges the receipt of the initial communication.
April 20th, 2010 - Zeacom acknowledges that the version of Zeacom Chat server affected is <= 5.0 SP4.
- Zeacom also states that they will not be issuing a patch for customers running <= 5.0SP4
but will be moving clients to their new 5.1 release.
Recommendation:
- It is recommended to upgrade to the latest version of Zeacom Chat Server. (Version 5.1 or greater)
CVE Information: CVE-2010-0217
| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850 | | o. 866.267.8851
"Moments of sorrow are moments of sobriety"
-----BEGIN PGP SIGNATURE-----
iD8DBQFN0vtvlZy1vkUrR4MRAjx3AJ9k6Kj3Ih3LVjabVQE0E+DerZeG0wCfY0dI
lKUHztAtnNG6FH4ZphEl7Wc=
=aw+L
-----END PGP SIGNATURE-----