[VulnWatch] Jetty Session ID Prediction

From: NGSSoftware Insight Security Research (nisr@private)
Date: Mon Feb 05 2007 - 05:35:40 PST


=======
Summary
=======

Name: Jetty Session Id Prediction
Release Date:  5 February 2007
Reference: NGS00471
Discover: Chris Anley <chris@private>
Vendor: Mortbay
Systems Affected: Jetty prior to versions 4.2.27, 5.1.12, 6.0.2 and
6.1.0pre3
Risk: High
Status: Fixed

========
TimeLine
========

Discovered: 17 November 2006
Reported: 22 November 2006
Fixed: 25 November 2006
Published: 5 February 2007

===========
Description
===========

Versions of Jetty, the popular java web server, are vulnerable to a
session id prediction attack.

Jetty uses java.util.Random to generate session ids. The internal state
of this generator can be easily discovered, leading to an attacker being
able to hijack existing and future sessions.

=================
Technical Details
=================

java.util.random implements a linear congruential generator, of the
following form:

synchronized protected int next(int bits) {
           seed = (seed * 0x5DEECE66DL + 0xBL) & ((1L << 48) - 1);
           return (int)(seed >>> (48 - bits));
     }

Jetty generates a 64-bit session id by generating two 32-bit numbers in
this way, so we end up with an encoded 64-bit integer. By decoding the
integer and splitting it into its two component 32-bit integers, we can
easily brute-force the generator's internal state. Once the state is
discovered, the generator can be run both forwards and backwards, so an
attacker can determine previously generated session ids, as well as
session ids that have not yet been generated. This allows the attacker
to hijack any existing session, and perform any actions that the
original user of the session could perform. Obviously the severity of
this issue varies from application to application but we believe it
warrants at least a "high" risk rating.

NGS have developed proof of concept code for this issue that implements
a session predictor for this bug. It takes a session id as input and
outputs candidates for the next 5 and previous 5 session ids. It is
necessary to output 7 candidate session ids for each iteration because
Jetty encodes the session id in a number base from 30 to 36 depending on
the millisecond in which the session id was generated. The underlying
64-bit integer is the same, just represented in bases 30-36. Here is
some example output:

H:\jetty_rand\Debug>jetty_rand.exe g4sse9e7fs5ee
Radix: 30
Found seed: 5346772124980067

Session -5:
27s4jsk03074k
1gbb661e0l6mp
11ctqbu24shqo
nqqa46cv6ovh
h4xlr7d8n98c
cg9x29g6vfna
9568uhp0c7yw

Session -4:
586o97hbtkkis
3h9o0c9eglm5q
2dpgen12bekgo
1mf3ar81r4e7d
15vq2mdv83nmo
t13aedmjm4ts
lamwq2jurlzs

Session -3:
c2kqln033ior
8d98tft18mgj
5u715san1m0b
47rifnwhompl
31pb1t2496ef
27mbqm91n0gc
1mksf8xjn6kr

Session -2:
h5n7ft13ak1nr
biif83e4tlq37
7tj3f6tclak5h
5fpk27ulvu2nu
3s5vpubx7ekc9
2om684eem9iy2
1xf0lar1nqpwx

Session -1:
66isdajhm658g
463l7trqe65oo
2rodl8h2bjkb4
1wdl0j3wqr6tj
1d3hc9k0gm9ja
y8hj85q65rxq
p49erbpgioo4

Session 0:
g4sse9e7fs5ee
as3iaiqcjo82g
7eeb56egthkrm
54w87w5wtpwfk
3kdimj6vemoce
2iybbcyacjqk9
1t9qijf82uk52

The issue affects a great many products that are based on Jetty, such as
Apache Geronimo:
http://geronimo.apache.org/

The latest version (2.0) of Geronimo is not vulnerable to this issue.
Version 1.1 and prior are vulnerable however, and this issue can be used
to hijack a session to the administrative console.

A further 98 projects based on Jetty are listed on the Jetty website at:
http://www.mortbay.com/powered.html

===============
Fix Information
===============

This issue was fixed in the source code on the 22nd of November 2006,
less than 6 hours after it was reported. The issue is fixed in released
versions 4.2.27, 5.1.12, 6.0.2 and 6.1.0pre3.

The changes can be viewed here:

http://fisheye.codehaus.org/changelog/jetty/?cs=1274

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070



--
E-MAIL DISCLAIMER

The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended recipient(s), any disclosure, copying, distribution, or any
other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
4BF with Company Number 04225835 and VAT Number 783096402



This archive was generated by hypermail 2.1.3 : Fri Feb 09 2007 - 10:26:02 PST