NMRC Advisory - NetDynamics Session ID is Reusable

[Information Anarchy 2K01 <advisories () nmrc org>]

_______________________________________________________________________________

                   I N F O R M A T I O N  A N A R C H Y  2 K 0 1
                             www.nmrc.org/InfoAnarchy


                          Nomad Mobile Research Centre
                                 A D V I S O R Y
                                  www.nmrc.org
                          Phuzzy L0gic [phzy () nmrc org]
                                   27Nov2001

_______________________________________________________________________________

                              Platform : Sun Solaris Version 7, 8
                           Application : NetDynamics 4.x, 5.x
                              Severity : Medium


Synopsis
--------

It appears that the NetDynamics session management package does not
properly manage its user state table. The previously generated session ID
to that of a legitimate logged in user remains valid for that account for
upwards of 15 seconds after login.

Therefore it is possible for an attacker with understanding of the web
application's command mappings to hijack random user sessions.

Tested configuration
--------------------

Testing was done with the following configuration :

Sun Solaris 7 (SPARC)
Sun Solaris 8 (SPARC)
NetDynamics 4.x
NetDynamics 5.x

Other versions and platforms were not tested but it is assumed
that they are also vulnerable.

Problem(s) Reported
-------------------

This attack can be carried out in the following manner:

An attacker visits the web application's login page where ndcgi.exe
generates a 'random' session ID to sample the hidden 'SPIDERSESSION'
tag as well as the 'uniqueValue' tag out of the html source.

The attacker must then wait for a legitimate user to login.

Append both variables to the end of a command request (URL will be wrapped):

"http://victim/cgi-bin/ndcgi.exe/[command>mapping]/[command]?SPIDERSESSION=
[...]&uniqueValue=XXXXXXXXXXXXX"

The command is executed with the privileges of the victim, and the
attacker now controls the session.

If NetDynamics is configured to allow multiple logins from any domain
(default), the victim will not be alerted to the attack.


Solution/Workaround
-------------------

None available -- Sun (http://www.sun.com) was contacted but no response
was ever received.

Perhaps configuring NetDynamics to not allow multiple logins from the same
domain will help alert to such an attack being carried out.


Comments/Theory
---------------

We attempted to contact Sun regarding this issue several times going as
far back as our initial contact on November 9th.  Needless to say, that we
have received no response to any of our emails, therefore NMRC should not
be held liable for any inconsistencies within this report as a result
thereof.

As per the NMRC disclosure policy, http://www.nmrc.org/advise/policy.txt
we have released this advisory without the vendor information.

This issue was discovered and tested by Phuzzy L0gic of NMRC and has been
released in support of Information Anarchy 2K01 - www.nmrc.org/InfoAnarchy


_______________________________________________________________________________