[GSEC-2008001] BluePex IE-2000 - Session Hijacking ---------------------------------------------------- GSEC Security Solutions - Advisory #02 - 18/11/08 ---------------------------------------------------- Software : BluePex IE-2000 Homepage : http://www.bluepex.com.br/ Vulnerable : Appliances without the Security Patches applied Impact : Local Priority : High Description: Internet access bypassing applied policies, webmail access of a hijacked account and internet access with the hijacked user. ----------------------------------------------------------- ABOUT PRODUCT ----------------------------------------------------------- The IE-2000 is a security appliance that has internet sharing, mailserver, webserver, antispyware gateway, firewall, antivirus, antispam and URL filter. ----------------------------------------------------------- DESCRIPTION ----------------------------------------------------------- It is possible to hijack a logged on user session either webmail or internet by two ways. By IP: If the attacker define your ip address the same that the target, and the target is logged on webmail or internet, the attacker has the same access of the hijacked user. This step can be utilized to get the cookie of the target session: javascript:alert(document.cookie);void(0); By Cookie: With the last step you can get the session cookie, now you can set this cookie on your browser, return the previous ip address and have internet and webmail access just like the attacked user, because there ins't a link between the ip address and the cookie and there ins't a time for a session expiration. ----------------------------------------------------------- PROOF OF CONCEPT ----------------------------------------------------------- 1 - Define your IP address the same of the target user; 2 - Access: http://Address_Ip_IE2000/etools/ 3 - With this you get access of the webmail and the internet of hijacked user, but you can also get a duplicate address error; 4 - Type on your browser: javascript:alert(document.cookie);void(0); 5 - Return to your original ip address and set the cookie on your browser just like the last step. Having the same access of the hijacked user. Enjoy! ----------------------------------------------------------- SOLUTION ----------------------------------------------------------- Update for the last version, apply the security patch or contact your product engineer. http://www.bluepex.com/ ----------------------------------------------------------- TIMELINE ----------------------------------------------------------- 17/01/2008 - Vulnerability Found 12/03/2008 - BluePex Contacted 16/06/2008 - Security Patch Published 18/11/2008 - Advisory Published ----------------------------------------------------------- CREDIT ----------------------------------------------------------- GSEC Security Solutions Visit: http://www.gsec.com.br/ ----------------------------------------------------------- NOTE ----------------------------------------------------------- The author reserves the right not to be responsible for the information provided. Liability claims regarding damage caused by the use of any information provided.