CVE-2010-0217 - Zeacom Chat Server JSESSIONID weak SessionID Vulnerability

[Daniel Clemens <daniel.clemens () packetninjas net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                        Packetninjas L.L.C
                       www.packetninjas.net

                    -= Security  Advisory =-

    Advisory:  Zeacom Chat Server JSESSIONID weak SessionID Vulnerability
Release Date:  unknown
Last Modified: 09/27/2010
      Author: Daniel Clemens [daniel.clemens[at]packetninjas.net]

 Application: Zeacom Chat Application <= 5.0 SP4
    Severity: 
    
        Usage of weak Weak Session management exists within the Zeacom web-chat application 
        enabling the bruteforce of the sessionid which can enable the hijacking of anothers chat session. 
        The Zeacom application handles new sessions through a 10 character string (JSESSIONID), 
        resulting in an effective 9 bit entropy level for session management. The end result of an 
        attack would enable an attacker to hijack a session where private information is revealed 
        within a chat session or a denial of service within the application server resulting in 
        a complete crash of the application server. (Tomcat)
        
        In most scenarios the application would crash locking the application server. 

        Risk:  Medium
Vendor Status: Zeacom 
Vulnerability Reference:  CVE-2010-0217

http://www.packetninjas.net/storage/advisories/Zeacom-CVE-2010-0217.txt

Overview:
 Information provided from http://www.zeacom.com

 "Zeacom is a leading provider of advanced Unified Communications solutions that integrate
  real-time communication tools such as presence information, contact routing, conferencing,
  chat and speech recognition with conventional tools such as voicemail, email and fax."

 During evaluation of a blackbox application assessment routine 
 application security checks were performed to test the strength of session 
 management within the Zeacom Chat application. 
  
 The Zeacom application handles new sessions through a 10 character string which
 is a part of the JSESSIONID, which results in an effective 9 bit entropy level
 for session management. 

Proof of Concept:

By looking at the JSESSIONID, one is able to determine that it is trivial to brute force the session
id (JSESSIONID) space.

Disclosure Timeline:
 April 1st,  2010 - Initial Contact with Zeacom.
 April 6th,  2010 - Zeacom acknowledges the receipt of the initial communication. 
 April 20th, 2010 - Zeacom acknowledges that the version of Zeacom Chat server affected is <= 5.0 SP4.
                                  - Zeacom also states that they will not be issuing a patch for customers running <= 
5.0SP4
                                    but will be moving clients to their new 5.1 release. 
                                
Recommendation:

 - It is recommended to upgrade to the latest version of Zeacom Chat Server. (Version 5.1 or greater)


CVE Information:  CVE-2010-0217

| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850      | | o. 866.267.8851 
"Moments of sorrow are moments of sobriety"











-----BEGIN PGP SIGNATURE-----

iD8DBQFN0vtvlZy1vkUrR4MRAjx3AJ9k6Kj3Ih3LVjabVQE0E+DerZeG0wCfY0dI
lKUHztAtnNG6FH4ZphEl7Wc=
=aw+L
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/