[VulnWatch] S21SEC-011 - Multiple vulnerabilities in BEA WebLogic Server

From: Lluis Mora (llmora@s21sec.com)
Date: 03/17/03

  • Next message: Chris Wysopal: "[VulnWatch] Microsoft IIS 5.0 WebDAV remote buffer overflow"
    From: "Lluis Mora" <llmora@s21sec.com>
    To: <vulnwatch@vulnwatch.org>
    Date: Mon, 17 Mar 2003 18:34:18 +0100
    
    

    ###############################################################
    ID: S21SEC-011-en
    Title: Multiple vulnerabilities in BEA WebLogic Server
    Date: 7/01/2003
    Status: Patch published
    Scope: Remote command execution
    Platforms: Linux, Windows 2000, probably others
    Author: llmora
    Location: http://www.s21sec.com/en/avisos/s21sec-011-en.txt
    Release: Public
    ###############################################################

                                    S 2 1 S E C

                               http://www.s21sec.com

                       Multiple vulnerabilities in BEA WebLogic Server

    About BEA WebLogic Server
    -------------------------
    WebLogic Server is a quite extended BEA J2EE applications server
    (http://www.bea.com).

    Vulnerabilities description
    ---------------------------
    WebLogic offers a web management console through which you can manage the
    web server contents, load servlets, etc. One of the functionalities it
    offers is that you can upload files to the remote server for its
    publication.

    The process in charge of managing the file upload validates the user
    credentials and then calls an internal weblogic servlet to upload the file,
    that does not require any authentication. This internal servlet can be
    publically accessed and therefore it is possible to upload files to the
    server without any kind of authentication.

    Files can be uploaded to any location in the remote server, not limiting to
    the tree of WebLogic directories
     (in Windows 2000 it is possible to upload files to any disk drive).

    If you know the directory where the Weblogic server applications have been
    installed (such as in a default installation) there is the possibility to
    upload a malicious application that will allow an attacker to execute
    commands with the premissions of the user executing the Weblogic server.

    Additionally, the internal servlet offers different operations that allow,
    without any authentication:

    * Download arbitrary files from the remote server
    * Obtain the users, groups and passwords (salted and hashed) of WebLogic

    Affected Versions and platforms
    -------------------------------

    These vulnerabilities have been verified to work in the WebLogic version for
    Windows and Linux, although we think that they are not specific to the
    platform.

    The current vulnerabilities vary in the different versions, the following
    table shows which vulnerabilities are present in each version:

                            UPLOAD DOWNLOAD PASSWORD

       WebLogic 6.0 X X
       WebLogic 6.1 X X X
       WebLogic 7.0 X

    The WebLogic Server 5.1 version does not present any of the previously
    mentioned vulnerabilities.

    Solution
    --------
    The vendor was notified and published a patch to solve these
    vulnerabilities. More information on how to get and install the patch can
    be found in BEA's security advisory BEA03-28.00
    (http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-28.jsp
    ).

    If upgrading is not an option, there is a temporary workaround for the
    problem which consists in the installation of a ConnectionFilter class to
    filter out requests to the administration server, avoiding explotation of
    the vulnerability from the outside world.

    In order to apply this workaround the administration and application servers
    must be running on separate ports. Once they are separated the
    ConnectionFilter will filter connections based on the request source
    address.

    S21SEC developed a ConnectionFilter class that allows filtering based on the
    source address and destination port. This filter along with detailed
    instructions on how to install and configure the filter can be downloaded
    for free from the downloads section in S21SEC website, at:

      http://www.s21sec.com/download/s21sec-weblogic-connectionfilter-1.0.tar.gz

    Alternatively, connections to the administrative server can be filtered by
    using an IP filtering device.

    Additional information
    ----------------------

    These vulnerabilities have been found and researched by:

     Lluis Mora llmora@s21sec.com

    You can find the latest version of this advisory at:

            http://www.s21sec.com/en/avisos/s21sec-011-en.txt

    And other S21SEC advisories at http://www.s21sec.com/en/avisos/


  • Next message: Chris Wysopal: "[VulnWatch] Microsoft IIS 5.0 WebDAV remote buffer overflow"

    Relevant Pages