[NEWS] Sun Java System Active Server Pages Multiple Vulnerabilities



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Sun Java System Active Server Pages Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

<http://www.sun.com/software/chilisoft/index.xml> Sun Java System Active
Server Pages is "a multi-platform ASP application server. It provides
provides ASP (Active Server Pages) functionality to a web server".
Multiple vulnerabiltiies have been discovered in Sun Java System Active
Server Pages.

DETAILS

Vulnerable Systems:
* Sun Microsystems Inc.'s Java System Active Server Pages version 4.0.2

Immune Systems:
* Sun Microsystems Inc.'s Java System Active Server Pages version 4.0.3

Sun Java System Active Server Pages Authorization Bypass Vulnerability
Remote exploitation of design error in Sun Microsystem's Java System
Active Server Pages allows attackers to bypass administration server
authentication mechanisms.

The vulnerability exists due to improper design of the ASP application
server. The administration application server exists as a stand-alone
service that listens on TCP port 5102. By connecting directly to this
service and making requests, attackers are able to bypass authentication
mechanisms introduce by the administration HTTP server.

Analysis:
Exploitation allows an attacker to bypass authentication restrictions
imposed by the HTTP server. No authentication is required to communicate
with the affected administration application server. The attacker only
needs to be able to establish a session with the administration
application server on TCP port 5102.

Workaround:
In order to prevent exploitation of this vulnerability, disable
administration server by executing the following command as the 'root'
user.
# /opt/casp/admtool -e

Vendor response:
Sun Microsystems has addressed this vulnerability with the release of
version 4.0.3 of Sun Java System Active Server Pages. For more
information, refer to Sun Alert 238184 at the following URL.
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1>
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2406>
CVE-2008-2406

Sun Java System Active Server Pages Multiple Command Injection
Vulnerabilities
Remote exploitation of multiple command injection vulnerabilities in Sun
Microsystem's Java System Active Server Pages allows attackers to execute
arbitrary code with root privileges.

These vulnerabilities exist within several ASP applications that execute
shell commands. The problem lies in the fact that these applications do
not filter or escape the parameters passed to these commands. By inserting
shell meta-characters into an HTTP request, an attacker is able to execute
arbitrary shell commands.

Analysis:
Exploitation allows an attacker to execute arbitrary shell commands with
elevated privileges. Since this server runs with root privileges, an
attacker could gain complete control of the affected the system.

Note that authentication is required to reach these ASP applications via
the administration server on TCP port 5100. However, several methods of
bypassing and circumventing authentication have been discovered, rendering
that requirement irrelevant.

Workaround:
Removing the affected ASP applications from the system can prevent
exploitation of these vulnerabilities.

Additionally, using firewalls to limit access to the administration server
(TCP port 5100) and the ASP application server (TCP port 5102) can help
mitigate these issues.

Vendor response:
Sun Microsystems has addressed these vulnerabilities with the release of
version 4.0.3 of Sun Java System Active Server Pages. For more
information, refer to Sun Alert 238184 at the following URL.
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1>
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2405>
CVE-2008-2405

Sun Java System Active Server Pages Buffer Overflow Vulnerability
Remote exploitation of a buffer overflow vulnerability in Sun
Microsystem's Java System Active Server Pages allows attackers to execute
arbitrary code in the context of the ASP server.

The vulnerability exists within the request handling code within the ASP
server. An attacker supplied string is copied into a fixed size stack
buffer without first validating that there is sufficient space available.
By supplying a specially crafted request, an attacker can cause a
stack-based buffer overflow.

Analysis:
Exploitation allows an attacker to execute arbitrary code in the context
of the ASP server. This vulnerability can be reached from a normal web
server, usually on TCP port 80, configured to pass requests for ASP
applications through the ASP server. No authentication is required to
exploit this vulnerability. If this service is configured to run with root
privileges it is possible to gain complete control over the affected
system.

Workaround:
iDefense is currently unaware of any effective workaround for this issue.

However, configuring the ASP server to run with reduced privileges can
help prevent a complete compromise. This can be accomplished via the
"Inherit user security" setting or setting a user and group to run with
when using the "Defined user security" mode.

Vendor response:
Sun Microsystems has addressed this vulnerability with the release of
version 4.0.3 of Sun Java System Active Server Pages. For more
information, refer to Sun Alert 238184 at the following URL.
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1>
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2404>
CVE-2008-2404

Sun Java System Active Server Pages Multiple Directory Traversal
Vulnerabilities
Remote exploitation of multiple directory traversal vulnerabilities in Sun
Microsystem's Java System Active Server Pages allows attackers to obtain
the contents of, and delete, sensitive files on the system.

Both vulnerabilities exist within ASP applications included with the
product. When accessed via the administration server, the ASP engine does
not prevent directory traversal using the "../" construct. By supplying a
specially crafted HTTP request to one of the affected ASP applications, an
attacker is able to read from arbitrary files.

One of the applications will disclose only the first and third lines of
the file. Once the application is finished processing the file, it will
delete it.

Analysis:
Exploitation allows an attacker to gain sensitive information from the
server. No authentication is required to reach the affected ASP
applications. The attacker only needs to be able to establish a session
with the administration server on TCP port 5100.

Since the server process runs with root privileges, an attacker could
obtain the contents of, or delete, any file on the system. It is
interesting to note that attempting to exploit these vulnerabilities via
the web server results in an error as shown below.

[Fri Feb 23 18:16:49 2007] Server object, 80004005, ASP 0175~Disallowed
Path Characters~The '..' characters are not allowed in the Path parameter
for the MapPath method.

Workaround:
In order to prevent exploitation of these vulnerabilities, disable
administration server by executing the following command as the 'root'
user.

# /opt/casp/admtool -e

Additionally, removing the affected ASP applications will prevent
exploitation of these vulnerabilities.

Vendor response:
Sun Microsystems has addressed these vulnerabilities with the release of
version 4.0.3 of Sun Java System Active Server Pages. For more
information, refer to Sun Alert 238184 at the following URL.
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1>
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2403>
CVE-2008-2403

Sun Java System Active Server Pages Information Disclosure Vulnerability
Remote exploitation of an information disclosure vulnerability in Sun
Microsystem's Java System Active Server Pages allows attackers to obtain
sensitive information.

This vulnerability exists due to the placement of the password and
configuration data within the application server root directory. By making
requests for specific, sensitive documents an attacker could obtain the
configuration or password hashes of allowed users.

Analysis:
Exploitation allows an attacker to gain sensitive information from the
server. No authentication is required to reach the affected ASP
applications. The attacker only needs to be able to establish a session
with the administration server on TCP port 5100.

Workaround:
In order to prevent exploitation of this vulnerability, disable
administration server by executing the following command as the 'root'
user.

# /opt/casp/admtool -e

Vendor response:
Sun Microsystems has addressed this vulnerability with the release of
version 4.0.3 of Sun Java System Active Server Pages. For more
information, refer to Sun Alert 238184 at the following URL.
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1>
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2402>
CVE-2008-2402

Sun Java System Active Server Pages File Creation Vulnerability
Remote exploitation of a file creation vulnerability in Sun Microsystem's
Java System Active Server Pages allows attackers to execute arbitrary code
with root privileges.

The vulnerability exists within a file included by several ASP
applications. This file provides a function that will write the contents
contained within its first parameter to a file specified by its second
parameter. Several ASP applications allow an attacker to control both the
content and the location of the file written.

Analysis:
Exploitation allows an attacker to create, or append to, arbitrary files
on the system with root privileges. No authentication is required to reach
the affected ASP applications. The attacker only needs to be able to
establish a session with the administration server on TCP port 5100.

Workaround:
In order to prevent exploitation of this vulnerability, disable
administration server by executing the following command as the 'root'
user.

# /opt/casp/admtool -e

Additionally, removing the affected ASP applications will prevent
exploitation.

Vendor response:
Sun Microsystems has addressed this vulnerability with the release of
version 4.0.3 of Sun Java System Active Server Pages. For more
information, refer to Sun Alert 238184 at the following URL.
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1>
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2401>
CVE-2008-2401


ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxx> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=705>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=705,
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=706>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=706,
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=707>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=707,
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=708>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=708,
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=709>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=709,
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=710>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=710



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.