Holes in Embedded Devices: IP-based session management

Devices that implement IP address-based session management follow the algorithm described by the pseudocode shown below:

The implications are obvious: devices located in environments in which different users share the same proxy are vulnerable to administrative session hijacking attacks. Please note that this session hijacking attack has nothing to do with the classic TCP hijacking attack in which sequence numbers are predicted by the attacker. [...]

more | comments | comments rss | posted by