BugTraq
CVE-2010-0217 - Zeacom Chat Server JSESSIONID weak SessionID Vulnerability May 17 2011 10:49PM
Daniel Clemens (daniel clemens packetninjas net)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Packetninjas L.L.C
www.packetninjas.net

-= Security Advisory =-

Advisory: Zeacom Chat Server JSESSIONID weak SessionID Vulnerability
Release Date: unknown
Last Modified: 09/27/2010
Author: Daniel Clemens [daniel.clemens[at]packetninjas.net]

Application: Zeacom Chat Application <= 5.0 SP4
Severity:

Usage of weak Weak Session management exists within the Zeacom web-chat application
enabling the bruteforce of the sessionid which can enable the hijacking of anothers chat session.
The Zeacom application handles new sessions through a 10 character string (JSESSIONID),
resulting in an effective 9 bit entropy level for session management. The end result of an
attack would enable an attacker to hijack a session where private information is revealed
within a chat session or a denial of service within the application server resulting in
a complete crash of the application server. (Tomcat)

In most scenarios the application would crash locking the application server.

Risk: Medium
Vendor Status: Zeacom
Vulnerability Reference: CVE-2010-0217

http://www.packetninjas.net/storage/advisories/Zeacom-CVE-2010-0217.txt

Overview:
Information provided from http://www.zeacom.com

"Zeacom is a leading provider of advanced Unified Communications solutions that integrate
real-time communication tools such as presence information, contact routing, conferencing,
chat and speech recognition with conventional tools such as voicemail, email and fax."

During evaluation of a blackbox application assessment routine
application security checks were performed to test the strength of session
management within the Zeacom Chat application.

The Zeacom application handles new sessions through a 10 character string which
is a part of the JSESSIONID, which results in an effective 9 bit entropy level
for session management.

Proof of Concept:

By looking at the JSESSIONID, one is able to determine that it is trivial to brute force the session
id (JSESSIONID) space.

Disclosure Timeline:
April 1st, 2010 - Initial Contact with Zeacom.
April 6th, 2010 - Zeacom acknowledges the receipt of the initial communication.
April 20th, 2010 - Zeacom acknowledges that the version of Zeacom Chat server affected is <= 5.0 SP4.
- Zeacom also states that they will not be issuing a patch for customers running <= 5.0SP4
but will be moving clients to their new 5.1 release.

Recommendation:

- It is recommended to upgrade to the latest version of Zeacom Chat Server. (Version 5.1 or greater)

CVE Information: CVE-2010-0217

| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850 | | o. 866.267.8851
"Moments of sorrow are moments of sobriety"

-----BEGIN PGP SIGNATURE-----

iD8DBQFN0vtvlZy1vkUrR4MRAjx3AJ9k6Kj3Ih3LVjabVQE0E+DerZeG0wCfY0dI
lKUHztAtnNG6FH4ZphEl7Wc=
=aw+L
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus