Zeacom Chat Server JSESSIONID weak SessionID Vulnerability

2011.05.23
Risk: Low
Local: No
Remote: No
CWE: CWE-310


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Packetninjas L.L.C www.packetninjas.net -= Security Advisory =- Advisory: Zeacom Chat Server JSESSIONID weak SessionID Vulnerability Release Date: unknown Last Modified: 09/27/2010 Author: Daniel Clemens [daniel.clemens[at]packetninjas.net] Application: Zeacom Chat Application <= 5.0 SP4 Severity: Usage of weak Weak Session management exists within the Zeacom web-chat application enabling the bruteforce of the sessionid which can enable the hijacking of anothers chat session. The Zeacom application handles new sessions through a 10 character string (JSESSIONID), resulting in an effective 9 bit entropy level for session management. The end result of an attack would enable an attacker to hijack a session where private information is revealed within a chat session or a denial of service within the application server resulting in a complete crash of the application server. (Tomcat) In most scenarios the application would crash locking the application server. Risk: Medium Vendor Status: Zeacom Vulnerability Reference: CVE-2010-0217 http://www.packetninjas.net/storage/advisories/Zeacom-CVE-2010-0217.txt Overview: Information provided from http://www.zeacom.com "Zeacom is a leading provider of advanced Unified Communications solutions that integrate real-time communication tools such as presence information, contact routing, conferencing, chat and speech recognition with conventional tools such as voicemail, email and fax." During evaluation of a blackbox application assessment routine application security checks were performed to test the strength of session management within the Zeacom Chat application. The Zeacom application handles new sessions through a 10 character string which is a part of the JSESSIONID, which results in an effective 9 bit entropy level for session management. Proof of Concept: By looking at the JSESSIONID, one is able to determine that it is trivial to brute force the session id (JSESSIONID) space. Disclosure Timeline: April 1st, 2010 - Initial Contact with Zeacom. April 6th, 2010 - Zeacom acknowledges the receipt of the initial communication. April 20th, 2010 - Zeacom acknowledges that the version of Zeacom Chat server affected is <= 5.0 SP4. - Zeacom also states that they will not be issuing a patch for customers running <= 5.0SP4 but will be moving clients to their new 5.1 release. Recommendation: - It is recommended to upgrade to the latest version of Zeacom Chat Server. (Version 5.1 or greater) CVE Information: CVE-2010-0217 | Daniel Uriah Clemens | Packetninjas L.L.C | | http://www.packetninjas.net | c. 205.567.6850 | | o. 866.267.8851 "Moments of sorrow are moments of sobriety" -----BEGIN PGP SIGNATURE----- iD8DBQFN0vtvlZy1vkUrR4MRAjx3AJ9k6Kj3Ih3LVjabVQE0E+DerZeG0wCfY0dI lKUHztAtnNG6FH4ZphEl7Wc= =aw+L -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top