[NEWS] NetDynamics Session ID is Reusable
From: support@securiteam.comDate: 11/28/01
- Previous message: support@securiteam.com: "[UNIX] Auto Nice Daemon Format String Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NEWS] NetDynamics Session ID is Reusable Message-Id: <20011128171215.04120138BF@mail.der-keiler.de> Date: Wed, 28 Nov 2001 18:12:15 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
NetDynamics Session ID is Reusable
------------------------------------------------------------------------
SUMMARY
It appears that the NetDynamics session management package does not
properly manage its user state table. The previously generated session ID
to that of a legitimate logged in user remains valid for that account for
upwards of 15 seconds after login.
Therefore, it is possible for an attacker with understanding of the web
application's command mappings to hijack random user sessions.
DETAILS
Vulnerable systems:
NetDynamics version 4.x
NetDynamics version 5.x
This attack can be carried out in the following manner:
An attacker visits the web application's login page where ndcgi.exe
generates a 'random' session ID to sample the hidden 'SPIDERSESSION' tag
as well as the 'uniqueValue' tag out of the html source.
The attacker must then wait for a legitimate user to login.
Append both variables to the end of a command request (URL will be
wrapped):
"http://victim/cgi-bin/ndcgi.exe/[command>mapping]/[command]?SPIDERSESSION=
[...]&uniqueValue=XXXXXXXXXXXXX"
The command is executed with the privileges of the victim, and the
attacker now controls the session.
If NetDynamics is configured to allow multiple logins from any domain
(default), the victim will not be alerted to the attack.
Vendor information:
None available - <http://www.sun.com/> Sun was contacted but no response
was ever received.
Workaround:
Configuring NetDynamics to not allow multiple logins from the same domain
will help alert to such an attack being carried out.
ADDITIONAL INFORMATION
The information has been provided by <mailto:advisories@nmrc.org>
Information Anarchy 2K01.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Auto Nice Daemon Format String Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
