-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                        Packetninjas L.L.C
                       www.packetninjas.net

                    -= Security  Advisory =-

    Advisory:  Zeacom Chat Server JSESSIONID weak SessionID Vulnerability
Release Date:  unknown
Last Modified: 09/27/2010
      Author: Daniel Clemens [daniel.clemens[at]packetninjas.net]

 Application: Zeacom Chat Application <= 5.0 SP4
    Severity: 
    
  Usage of weak Weak Session management exists within the Zeacom web-chat application 
  enabling the bruteforce of the sessionid which can enable the hijacking of anothers chat session. 
  The Zeacom application handles new sessions through a 10 character string (JSESSIONID), 
  resulting in an effective 9 bit entropy level for session management. The end result of an 
  attack would enable an attacker to hijack a session where private information is revealed 
  within a chat session or a denial of service within the application server resulting in 
  a complete crash of the application server. (Tomcat)
  
  In most scenarios the application would crash locking the application server. 

        Risk:  Medium
Vendor Status: Zeacom 
Vulnerability Reference:  CVE-2010-0217

http://www.packetninjas.net/storage/advisories/Zeacom-CVE-2010-0217.txt

Overview:
 Information provided from http://www.zeacom.com

 "Zeacom is a leading provider of advanced Unified Communications solutions that integrate
  real-time communication tools such as presence information, contact routing, conferencing,
  chat and speech recognition with conventional tools such as voicemail, email and fax."

 During evaluation of a blackbox application assessment routine 
 application security checks were performed to test the strength of session 
 management within the Zeacom Chat application. 
  
 The Zeacom application handles new sessions through a 10 character string which
 is a part of the JSESSIONID, which results in an effective 9 bit entropy level
 for session management. 

Proof of Concept:

By looking at the JSESSIONID, one is able to determine that it is trivial to brute force the session
id (JSESSIONID) space.

Disclosure Timeline:
 April 1st,  2010 - Initial Contact with Zeacom.
 April 6th,  2010 - Zeacom acknowledges the receipt of the initial communication. 
 April 20th, 2010 - Zeacom acknowledges that the version of Zeacom Chat server affected is <= 5.0 SP4.
            - Zeacom also states that they will not be issuing a patch for customers running <= 5.0SP4
              but will be moving clients to their new 5.1 release. 
        
Recommendation:

 - It is recommended to upgrade to the latest version of Zeacom Chat Server. (Version 5.1 or greater)


CVE Information:  CVE-2010-0217

| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850      | | o. 866.267.8851 
"Moments of sorrow are moments of sobriety"











-----BEGIN PGP SIGNATURE-----

iD8DBQFN0vtvlZy1vkUrR4MRAjx3AJ9k6Kj3Ih3LVjabVQE0E+DerZeG0wCfY0dI
lKUHztAtnNG6FH4ZphEl7Wc=
=aw+L
-----END PGP SIGNATURE-----