[NT] BEA Tuxedo Administration CGI Multiple Argument Issues

From: SecuriTeam (support_at_securiteam.com)
Date: 11/05/03

  • Next message: SecuriTeam: "[NT] Serious Sam DoS" 
    To: list@securiteam.com
Date: 5 Nov 2003 18:38:40 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      BEA Tuxedo Administration CGI Multiple Argument Issues
    ------------------------------------------------------------------------

    SUMMARY

    The BEA Tuxedo Administration Console is a CGI application that allows the
    remote administration of Tuxedo functions. One of the start-up arguments
    it accepts is a path to an INI file containing environmental settings. By
    entering various path values into this argument, it is possible to:
     - Confirm the existence of files outside of the web server environment.

     - Cause a Denial of Services (DoS) on the web server host.

     - Execute a cross-site scripting (XSS) attack through the application.

    DETAILS

    Vulnerable systems:
     * BEA Tuxedo version 8.1 and prior

    The BEA Tuxedo Administration Console is a CGI application that allows the
    remote administration of Tuxedo functions. One of the start-up arguments
    that this CGI application accepts is a path to an INI file. This file
    contains environmental variables, such as the default installation path of
    the Tuxedo application etc.

    The INIFILE argument appears not to be checked for any basic formatting
    issues such as a path outside of the web root, the use of device names, or
    for the presence of HTML constructs.

    By entering various path values into the INIFILE argument it is possible
    to use the Administration Console to confirm the existence of files
    outside of the web server environment, including those on different
    logical file systems and even network drives. Through this approach it is
    possible to enumerate files, drives and hosts that are contactable by the
    target web server, so that they might be used with other exploits.

    By using standard device names (CON, AUX, COM1, COM2 etc) within the
    arguments, the server thread will become unresponsive until the
    service/daemon is restarted.

    By using HTML constructs, mobile code such as JAVA can be executed within
    the user's context. This style of attack can be used to gain access to
    sensitive information, such as session cookies etc.

    Proof of concept:
    This proof of concept is known to work with a default BEA Tuxedo
    installation on a Windows platform. To make it work within different
    environments, you may need to alter the path used in the URL
    appropriately.

    To replicate the XSS issue, initiate a connection to the server that is
    hosting the Tuxedo application, and then use the following URL.
     http://host/udataobj/webgui/cgi-bin/tuxadm.exe?INIFILE=<
    script>alert('XSS')</script>

    This should result in an error, accompanied by a popup script dialog
    containing the message "XSS".

    Recommendations:
    The application should be reviewed in line with security best practices,
    such as those recommended by the OWASP project, with special consideration
    paid to the validation of input, and output fields.

    Access to administrative tools such as this should be restricted to
    trusted domains only and where possible, should be protected by additional
    measures, such as strong authentication.

    BEA have released an advisory (
    <http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/advisory03_38_00.jsp> BEA03-38.00) detailing the availability of a patch to correct the issues. This should be reviewed and if found to be suitable, the patch should be applied.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:advisories@corsaire.com>
    Corsaire Advisories.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Serious Sam DoS"

    Relevant Pages