CVE-2004-0944
CVSS5.0
发布时间 :2004-02-28 00:00:00
修订时间 :2008-09-05 16:39:52
NMCOPS    

[原文]The web management interface for Mitel 3300 Integrated Communications Platform (ICP) before 4.2.2.11 generates easily predictable web session IDs, which allows remote attackers to hijack other sessions via the parentsessionid cookie.


[CNNVD]Mitel 3300综合通信平台绕过界面验证漏洞(CNNVD-200402-091)

        Mitel 3300综合通信平台(ICP)4.2.2.11之前版本中网络管理界面产生能被轻易预测的网络会话ID。远程攻击者可以借助parentsessionid cookie劫持其他会话。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0944
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0944
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200402-091
(官方数据源) CNNVD

- 其它链接及资源

http://www.niscc.gov.uk/niscc/docs/re-20050228-00178.pdf?lang=en
(VENDOR_ADVISORY)  MISC  http://www.niscc.gov.uk/niscc/docs/re-20050228-00178.pdf?lang=en
http://www.mitel.com/DocController?documentId=14223
(VENDOR_ADVISORY)  CONFIRM  http://www.mitel.com/DocController?documentId=14223
http://www.corsaire.com/advisories/c040817-002.txt
(VENDOR_ADVISORY)  MISC  http://www.corsaire.com/advisories/c040817-002.txt

- 漏洞信息

Mitel 3300综合通信平台绕过界面验证漏洞
中危 设计错误
2004-02-28 00:00:00 2005-10-20 00:00:00
远程  
        Mitel 3300综合通信平台(ICP)4.2.2.11之前版本中网络管理界面产生能被轻易预测的网络会话ID。远程攻击者可以借助parentsessionid cookie劫持其他会话。

- 公告与补丁

        Mitel has released 3300 ICP Release 5.2 to address this issue. This software is available for registered customers at the following location:
        www.mitel.com

- 漏洞信息 (F36384)

Corsaire Security Advisory 2004-08-17.3 (PacketStormID:F36384)
2005-03-01 00:00:00
Stephen de Vries,Corsaire  penetration-testing.com
advisory,web
CVE-2004-0944
[点击下载]

Corsaire Security Advisory - The aim of this document is to define a vulnerability in the 3300 Integrated Communication Platform as supplied by Mitel, that allows an authenticated user to deny access to other users of the web management interface.

-- Corsaire Security Advisory --

Title: Mitel 3300 ICP web interface DoS issue
Date: 17.08.04
Application: Mitel Web Management Interface 
Environment: Mitel 3300 ICP (prior to 5.2)
Author: Stephen de Vries [stephen@corsaire.com]
Audience: General distribution
Reference: c040817-003


-- Scope --

The aim of this document is to define a vulnerability in the 3300 
Integrated Communication Platform as supplied by Mitel [1], that allows 
an authenticated user to deny access to other users of the web 
management interface.


-- History --

Discovered: 17.08.04 (Stephen de Vries)
Vendor notified: 27.08.04
Document released: 28.02.05


-- Overview --

The 3300 ICP [2] provides enterprise IP-PBX capabilities and makes use 
of a Web Interface to manage the device.  In order to maintain a user 
session, the Web Interface generates a unique session ID for each user 
after they have successfully authenticated.  Once the client has 
authenticated, this session ID is used as a shared secret to 
authenticate the client to the server for all subsequent requests. 
The Web Interface has an upper limit of 50 active session IDs.  A 
malicious user could authenticate 50 times and thereby deny access to 
the Web Interface for other users. The scope of this attack is limited 
to users with access to valid authentication credentials, or who exploit 
another vulnerability to gain access to a valid session.


-- Analysis --

Session IDs are generated after authentication and valid sessions are 
disposed of when the user logs out, or when the browser window is 
closed.  Authentication can be performed by an HTTP POST request to the 
URL: http://<Controller_IP>/esm_validate.asp and using the variables: 
hiddenUid and hiddenPwd for the username and password respectively.  By 
authenticating 50 times without logging out, the available session IDs 
are exhausted and subsequent authentication requests are denied.  This 
prevents legitimate users from accessing the web interface. Sessions 
remained active for more than 1 hour, this means that the denial of 
service condition lasts for at least 1 hour without having to re-launch 
the attack. 


-- Recommendations --

The vendor has released a revised version of the software that does not 
exhibit this issue. This has not been independently verified by 
Corsaire.


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CAN-2004-0945 to this issue. This is a candidate for inclusion in 
the CVE list (http://cve.mitre.org), which standardises names for 
security problems.


-- References --

[1] http://www.mitel.com
[2] http://www.mitel.com/DocController?documentId=9555&c=9511&sc=9514


-- Revision --

a. Initial release.
b. Minor revision.
c. Revised affected product version.


-- Distribution --

This security advisory may be freely distributed, provided that it 
remains unaltered and in its original form. 


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.


-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997 
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and 
analytical rigour to every job, which means fast and dramatic security 
performance improvements. Our services centre on the delivery of 
information security planning, assessment, implementation, management 
and vulnerability research. 

A free guide to selecting a security assessment supplier is available at 
http://www.penetration-testing.com 


Copyright 2004 Corsaire Limited. All rights reserved. 


    

- 漏洞信息 (F36383)

Corsaire Security Advisory 2004-08-17.2 (PacketStormID:F36383)
2005-03-01 00:00:00
Stephen de Vries,Corsaire  penetration-testing.com
advisory,remote,web
CVE-2004-0944
[点击下载]

Corsaire Security Advisory - The aim of this document is to define a vulnerability in the 3300 Integrated Communication Platform as supplied by Mitel, that allows a remote attacker to hijack legitimate users' web management sessions.

-- Corsaire Security Advisory --

Title: Mitel 3300 ICP web interface session hijacking issue
Date: 17.08.04
Application: Mitel Web Management Interface
Environment: Mitel 3300 ICP (prior to 4.2.2.11)
Author: Stephen de Vries [stephen@corsaire.com]
Audience: General distribution
Reference: c040817-002


-- Scope --

The aim of this document is to define a vulnerability in the 3300 
Integrated Communication Platform as supplied by Mitel [1], that allows 
a remote attacker to hijack legitimate users' web management sessions.


-- History --

Discovered: 17.08.04 (Stephen de Vries)
Vendor notified: 27.08.04
Document released: 28.02.05


-- Overview --

The 3300 ICP [2] provides enterprise IP-PBX capabilities and makes use 
of a Web Interface to manage the device.  In order to maintain a user 
session, the Web Interface generates a unique session ID for each user 
after they have successfully authenticated.  Once the client has 
authenticated, this session ID is used as a shared secret to 
authenticate the client to the server for all subsequent requests. 
This session ID was found to be trivially predictable and allows 
attackers to hijack legitimate users' sessions.


-- Analysis --

The Web Interface on the 3300 ICP generates the session ID after 
successful authentication.  The HTML page returned after successful 
authentication contains Javascript code that sets a cookie with the name 
"parentsessionid" to the value of the session ID.  By making successive 
authentication requests a list of session IDs can be retrieved.  A 
random sample follows:

parentsessionid=3
parentsessionid=4
parentsessionid=5
parentsessionid=6
parentsessionid=7
parentsessionid=8
parentsessionid=9
parentsessionid=10
parentsessionid=11
parentsessionid=12

It is quite clear that these IDs are sequential.  Further investigation 
revealed that the Web Interface has an upper limit of 50 active session 
IDs.  This further reduces the number of IDs that an attacker has to 
guess before being able to hijack a user's session.


-- Recommendations --

The vendor has released a revised version of the software that does not 
exhibit this issue. This has not been independently verified by 
Corsaire.


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CAN-2004-0944 to this issue. This is a candidate for inclusion in 
the CVE list (http://cve.mitre.org), which standardises names for 
security problems.


-- References --

[1] http://www.mitel.com
[2] http://www.mitel.com/DocController?documentId=9555&c=9511&sc=9514


-- Revision --

a. Initial release.
b. Minor revision.


-- Distribution --

This security advisory may be freely distributed, provided that it 
remains unaltered and in its original form. 

-- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.


-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997 
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and 
analytical rigour to every job, which means fast and dramatic security 
performance improvements. Our services centre on the delivery of 
information security planning, assessment, implementation, management 
and vulnerability research. 

A free guide to selecting a security assessment supplier is available at 
http://www.penetration-testing.com 


Copyright 2004-2005 Corsaire Limited. All rights reserved. 
    

- 漏洞信息

14277
Mitel 3300 ICP Web Management Interface Session Hijacking

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-02-28 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Mitel 3300 Integrated Communications Platform Web Interface Authentication Bypass Vulnerability
Design Error 12682
Yes No
2005-02-28 12:00:00 2009-07-12 10:56:00
Corsaire Limited is responsible for disclosure of this issue.

- 受影响的程序版本

Mitel 3300 Integrated Communication Platform

- 漏洞讨论

A remote authentication bypass vulnerability affects the Web interface of Mitel 3300 Integrated Communications Platform. This issue is due to a design error in the session IDs produced to manage authenticated users.

This issue will allow an attacker to gain authenticated access to the Web interface of an affected device, facilitating further attacks.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Mitel has released 3300 ICP Release 5.2 to address this issue. This software is available for registered customers at the following location:
www.mitel.com

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站