Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

ACROS Security: Session Fixation Vulnerability in HP SIM 5.0

from [ACROS Security] Network Security [Permanent Link]
Subject: ACROS Security: Session Fixation Vulnerability in HP SIM 5.0
Date: Fri, 18 May 2007 16:11:41 +0200 
=====[BEGIN-ACROS-REPORT]=====

PUBLIC

=========================================================================
ACROS Security Problem Report #2007-05-14-1
-------------------------------------------------------------------------
ASPR #2007-05-14-1: Session Fixation Vulnerability in HP SIM 5.0
=========================================================================

Document ID:     ASPR #2007-05-14-1-PUB
Vendor:          HP (http://www.hp.com)
Target:          HP Systems Insight Manager
Impact:          A session fixation vulnerability in HP SIM 5.0 SP4/5 can
                 be exploited to run arbitrary comands on the servers
                 system 
Severity:        High
Status:          Fixed in SIM 5.1
Discovered by:   Luka Treiber and Aljosa Ocepek of ACROS Security

Current version 
   http://www.acrossecurity.com/aspr/ASPR-2007-05-14-1-PUB.txt


Summary
=======

There is a session fixation vulnerability [1] in HP Systems Insight 
Manager 4.2 and 5.0 SP4/5 (IM) that allows an attacker to gain 
administrative access to IM console. As a result, the attacker can take 
complete administrative control over all managed systems, upload and 
execute malicious code on them, extract any information from them and 
disable them at her will.


Product Coverage
================

- HP Systems Insight Manager 4.2     - affected
- HP Systems Insight Manager 5.0 SP4 - affected
- HP Systems Insight Manager 5.0 SP5 - affected
- HP Systems Insight Manager 5.1     - not affected


Analysis
========

The Systems Insight Manager web application is using a JSESSIONID session 
cookie for maintaining a session with administrator's browser. Apparently, 
the console is vulnerable to session fixation [1] and allows an attacker 
to obtain the session cookie, fix it on administrator's browser and thus 
force him to use that cookie when subsequently logging into the 
administration console. Once the administrator is logged in, the attacker 
can use the same cookie to enter the already logged-in session and assume 
the identity of the administrator. 

After gaining administrative rights, an attacker can do anything the 
administrator could do, including executing arbitrary commands on all 
managed computers. In SIM Service Pack 4, a new cookie JSESSIONIDSSO was 
introduced to fix this issue; however, it was possible to bypass checks 
for the JSESSIONIDSSO cookie and thus still attack the SIM administrator 
with a fixed JSESSIONID cookie.


Solution
========

HP has released a newer version of SIM (SIM 5.1) which fixes this issue.


References
==========

[1] ACROS Security, "Session Fixation Vulnerability in Web-based
    Applications"
    http://www.acrossecurity.com/papers/session_fixation.pdf
    
[2] Hewlett-Packard Security Bulletin
    http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?
    objectID=c01049713


Acknowledgments
===============

We would like to acknowledge HP Software Security Response Team (SSRT) 
for diligent and professional handling of the identified vulnerability.


Contact
=======

ACROS d.o.o.
Makedonska ulica 113
SI - 2000 Maribor

e-mail: security@acrossecurity.com
web:    http://www.acrossecurity.com
phone:  +386 2 3000 280
fax:    +386 2 3000 282

ACROS Security PGP Key
   http://www.acrossecurity.com/pgpkey.asc
   [Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]

ACROS Security Advisories
   http://www.acrossecurity.com/advisories.htm

ACROS Security Papers
   http://www.acrossecurity.com/papers.htm

ASPR Notification and Publishing Policy
   http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm


Disclaimer
==========

The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
real host, company or individual. In no event should it be assumed that
use of these names means specific hosts, companies or individuals are
vulnerable to any attacks nor does it mean that they consent to being used
in any vulnerability tests. The use of information in this report is
entirely at user's risk.


Revision History
================

May 14, 2007: Initial release


Copyright
=========

(c) 2007 ACROS d.o.o. Forwarding and publishing of this document is
permitted providing the content between "[BEGIN-ACROS-REPORT]" and
"[END-ACROS-REPORT]" marks remains unchanged.

=====[END-ACROS-REPORT]=====
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • ACROS Security: Session Fixation Vulnerability in HP SIM 5.0, ACROS Security <=
Indexes:  [Date] [Thread] [Top] [All Lists]