_______________________________________________________________________________ I N F O R M A T I O N A N A R C H Y 2 K 0 1 www.nmrc.org/InfoAnarchy Nomad Mobile Research Centre A D V I S O R Y www.nmrc.org Phuzzy L0gic [phzy@nmrc.org] 27Nov2001 _______________________________________________________________________________ Platform : Sun Solaris Version 7, 8 Application : NetDynamics 4.x, 5.x Severity : Medium Synopsis -------- It appears that the NetDynamics session management package does not properly manage its user state table. The previously generated session ID to that of a legitimate logged in user remains valid for that account for upwards of 15 seconds after login. Therefore it is possible for an attacker with understanding of the web application's command mappings to hijack random user sessions. Tested configuration -------------------- Testing was done with the following configuration : Sun Solaris 7 (SPARC) Sun Solaris 8 (SPARC) NetDynamics 4.x NetDynamics 5.x Other versions and platforms were not tested but it is assumed that they are also vulnerable. Problem(s) Reported ------------------- This attack can be carried out in the following manner: An attacker visits the web application's login page where ndcgi.exe generates a 'random' session ID to sample the hidden 'SPIDERSESSION' tag as well as the 'uniqueValue' tag out of the html source. The attacker must then wait for a legitimate user to login. Append both variables to the end of a command request (URL will be wrapped): "http://victim/cgi-bin/ndcgi.exe/[command>mapping]/[command]?SPIDERSESSION= [...]&uniqueValue=XXXXXXXXXXXXX" The command is executed with the privileges of the victim, and the attacker now controls the session. If NetDynamics is configured to allow multiple logins from any domain (default), the victim will not be alerted to the attack. Solution/Workaround ------------------- None available -- Sun (http://www.sun.com) was contacted but no response was ever received. Perhaps configuring NetDynamics to not allow multiple logins from the same domain will help alert to such an attack being carried out. Comments/Theory --------------- We attempted to contact Sun regarding this issue several times going as far back as our initial contact on November 9th. Needless to say, that we have received no response to any of our emails, therefore NMRC should not be held liable for any inconsistencies within this report as a result thereof. As per the NMRC disclosure policy, http://www.nmrc.org/advise/policy.txt we have released this advisory without the vendor information. This issue was discovered and tested by Phuzzy L0gic of NMRC and has been released in support of Information Anarchy 2K01 - www.nmrc.org/InfoAnarchy _______________________________________________________________________________