SecuriTeam - NetDynamics Session ID is Reusable

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

It appears that the NetDynamics session management package does not properly manage its user state table. The previously generated session ID to that of a legitimate logged in user remains valid for that account for upwards of 15 seconds after login.

Therefore, it is possible for an attacker with understanding of the web application's command mappings to hijack random user sessions.

Credit:
The information has been provided by Information Anarchy 2K01.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
NetDynamics version 4.x
NetDynamics version 5.x

This attack can be carried out in the following manner:

An attacker visits the web application's login page where ndcgi.exe generates a 'random' session ID to sample the hidden 'SPIDERSESSION' tag as well as the 'uniqueValue' tag out of the html source.

The attacker must then wait for a legitimate user to login.

Append both variables to the end of a command request (URL will be wrapped):

"http://victim/cgi-bin/ndcgi.exe/[command>mapping]/[command]?SPIDERSESSION=
[...]&uniqueValue=XXXXXXXXXXXXX"

The command is executed with the privileges of the victim, and the attacker now controls the session.

If NetDynamics is configured to allow multiple logins from any domain (default), the victim will not be alerted to the attack.

Vendor information:
None available - Sun was contacted but no response was ever received.

Workaround:
Configuring NetDynamics to not allow multiple logins from the same domain will help alert to such an attack being carried out.

blog comments powered by Disqus

	HP Data Protector LogBackupLocationStatus SQL Injection Vulnerabilty
	InduSoft WebStudio Unauthenticated Operations Code Execution Vulnerabilityy
	InduSoft WebStudio CEServer Operation 0x15 Code Execution Vulnerability
	HP Data Protector Notebook Extension RequestCopy SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension GetPolicies SQL Injection Vulnerabilty
	GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability
	HP Data Protector Notebook Extension LogClientHealth SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension LogCopyOperation SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension FinishedCopy SQL Injection Vulnerabilty
	Novell ZENWorks Software Packaging ISGrid.Grid2.1 Text Parameter Code Execution Vulnerabilit
	Adobe Reader BMP Image RLE Decoding Code Execution Vulnerability
	Apple QuickTime H264 Matrix Conversion Code Execution Vulnerability
	Apple QuickTime FLC Delta Decompression Code Execution Vulnerability
	Apple Quicktime PnPixPat PatType 3 Parsing Code Execution Vulnerability