|
COMMAND Business Objects WebIntelligence client session cookie hijacking SYSTEMS AFFECTED WebIntelligence 2.x products PROBLEM Stijn Durant of Ubizen [http://www.ubizen.com] discovered : 1) Brief description The WebIntelligence application is a web interface towards the Business Objects application server. It uses HTTPS and cookies to keep track of user sessions. These session cookies are vulnerable. An attacker can guess session cookies and use this information to hijack sessions of other users, thereby gaining unauthorized access to the WebIntelligence tool. Next, the attacker can take any action the original user is able to take, except changing the account password. There also exists a win32 client application that uses the same protocols and the same cookie mechanism to connect to the Business Objects server. Both web interface and client are vulnerable to session hijacking. 2) Affected versions WebIntelligence 2.x products 3) Details "WebIntelligence is the one tool that allows users to access, analyze, and share strategic data over intranets and extranets for both traditional relational databases and online analytical processing (OLAP) servers." ( http://www.businessobjects.com/products/webi/ ) The WebIntelligence server assigns a cookie to each session for purpose of session tracking. Whenever a user connects using his/her browser, he/she receives such a session ID cookie. If the user then authenticates successfully, the WebIntelligence server marks this session at server side as 'authenticated'. During the same session, the user's browser keeps sending this cookie back to the server. This helps the server to keep track of the user's session. As long as the session is marked 'authenticated' the server will not prompt the user for his/her password anymore. So, if an attacker succeeds in stealing or guessing a user's session ID cookie, the attacker may gain access to this user's WebIntelligence session. It has been found that WebIntelligence uses cookies that can be guessed by an attacker. As a result, the attacker can view any screen, including mail box, and perform any action the user can. The attacker can not set a new password for the hijacked account as this would require knowledge of the current password. 4) Extension The Business Objects full client is a Windows application that can be downloaded through the WebIntelligence interface. Although it does not run in a browser, it does use the same HTTPS protocols for connecting to the WebIntelligence server and the same session ID cookies are used. Therefore, ZABO is also vulnerable to this attack. The client only product (BusinessObjects) is not at risk. SOLUTION 5) Solution Business Objects ( http://www.businessobjects.com ) has a hotfix for this issue (Bug ID 1063161) and it is expected that this fix will be incorporated in Service Pack 7, expected in the early part of Q2. Business Objects advises their customers to deploy the appropriate CSP on all their servers machines. The appropriate CSPs for SP3, SP4, SP5 and SP6 can be downloaded from: http://techsupport.businessobjects.com/app/SecBulletin_120402.asp . 6) Timeline (only relevant steps) November 2002: Ubizen contacted and provided details to Business Objects December 2002: Received bug ID and preliminary fix info from Business Objects January 2003: Business Objects released security bulletin and fixes to its customers 7) Credits This vulnerability was discovered by Stijn Durant of Ubizen ( http://www.ubizen.com ). 8) Disclaimer All information, advice and statements are provided "AS IS", without any warranty of any kind, express or implied, including but not limited to, warranties of accuracy, timeliness, non-infringement or fitness for a particular purpose. Ubizen assumes no liability for any loss or damage whatsoever (direct, indirect, consequential or otherwise). The use of and/or reliance on any of the information, advice or statements provided will be at the sole risk of the using/relying party. Copyright (c) 2003 by Ubizen N.V. All rights reserved. Ubizen, SIL and Security Intelligence Lab are trademarks or registered trademarks of Ubizen N.V. All other trademarks or registered trademarks are the property of their respective owners.