Re: Websphere cookie/sessionid predictable

[job () itsx com (Job de Haas)]

Hi,

> about three weeks ago, I discovered a hole in IBM's websphere 4.0 session ID

I mailed to IBM about this somewhere in March of this year. Although IBM
was very clear to me that they considered this no security problem, they
released a patch three days after my mail. The reason they didn't consider
it a security problem was because their documentation said it was weak or
that it should at least be used with basic authentication tied to the session.
(The patch they released then also was a big kludge btw, but much more random).

> generation. Over a week ago, IBM made a fix for this available, so here is
> the information about the vulnerability:
>
> (everybody who don't want to read about this vulnerability and just want to
> know the patch info: install the eFix PQ47663V302)

The strange thing is they did the same thing then. I recently found Application
Server to have the same problem (same source base). But the big patch cluster
for that also fixes it.

> THE BUG
> during a security assessment for a bank, I collected several sessionids and
> they did not look that random to me ...
>
> SessionID                     TIME
> TWGYLZIAAACVDQ3UUSZQV2I               10:27:12

Actually this cookie is built from four pieces of data:

1. A 2 byte random generated once at startup (thus constant)
2. The local IP number of the system
4. A simple counter
3. Time in millisconds mixed with the counter (but not very effective)

You can write a simple decoder which will print them all. And yes it is
trivial to exploit.

> THANKS
> to the IBM websphere team, which fixed the bug pretty fast for the customer.

Somehow in a weird way.

Greetings,

Job


--
Job de Haas         job () itsx com
ITSX BV      http://www.itsx.com