[VulnWatch] Corsaire Security Advisory: BEA Tuxedo Administration CGI multiple argument issues

From: advisories (advisories_at_corsaire.com)
Date: 10/31/03


To: <vulnwatch@vulnwatch.org>
Date: Fri, 31 Oct 2003 10:39:24 -0000


-- Corsaire Security Advisory --

Title: BEA Tuxedo Administration CGI multiple argument issues
Date: 04.07.03
Application: BEA Tuxedo 8.1 and prior
Environment: Various
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General distribution
Reference: c030704-009

-- Scope --

The aim of this document is to clearly define several issues in the
argument handling functionality of the BEA Tuxedo Administration Console
application, as supplied by BEA Systems, Inc [1].

-- History --

Vendor notified: 04.07.03
Document released: 31.10.03

-- Overview --

The BEA Tuxedo Administration Console is a CGI application that allows
the remote administration of Tuxedo functions. One of the start-up
arguments it accepts is a path to an INI file containing environmental
settings. By entering various path values into this argument it is
possible to:

- Confirm the existence of files outside of the web server environment.
- Cause a Denial of Services (DoS) on the web server host.
- Execute a cross-site scripting (XSS) attack through the application.

-- Analysis --

The BEA Tuxedo Administration Console is a CGI application that allows
the remote administration of Tuxedo functions. One of the start-up
arguments that this CGI application accepts is a path to an INI file.
This file contains environmental variables, such as the default
installation path of the Tuxedo application etc.

The INIFILE argument appears not to be checked for any basic formatting
issues such as a path outside of the web root, the use of device names,
or for the presence of HTML constructs.

By entering various path values into the INIFILE argument it is possible
to use the Administration Console to confirm the existence of files
outside of the web server environment, including those on different
logical filesystems and even network drives. Through this approach it is
possible to enumerate files, drives and hosts that are contactable by
the target web server, so that they might be used with other exploits.

By using standard device names (CON, AUX, COM1, COM2 etc) within the
arguments, the server thread will become unresponsive until the
service/daemon is restarted.

By using HTML constructs, mobile code such as JAVA can be executed
within the users context. This style of attack can be used to gain
access to sensitive information, such as session cookies etc.

-- Proof of concept --

This proof of concept is known to work with a default BEA Tuxedo
installation on a Windows platform. To make it work within different
environments, you may need to alter the path used in the URL
appropriately.

To replicate the XSS issue, initiate a connection to the server that is
hosting the Tuxedo application, then use the following URL.

   http://host/udataobj/webgui/cgi-bin/tuxadm.exe?
   INIFILE=<script>alert('XSS')</script>

This should result in an error, accompanied by a popup script dialog
containing the message "XSS".

-- Recommendations --

The application should be reviewed in line with security best practises,
such as those recommended by the OWASP project [2], with special
consideration paid to the validation of input and output fields.

Access to administrative tools such as this should be restricted to
trusted domains only and where possible, should also be protected by
additional measures, such as strong authentication.

BEA have released an advisory (BEA03-38.00) [3] detailing the
availability of a patch to correct the issues. This should be reviewed
and if found to be suitable, the patch should be applied.

-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
Multiple numbers to this issue:

CAN-2003-0621 BEA Tuxedo Administration CGI file disclosure issue
CAN-2003-0622 BEA Tuxedo Administration CGI DoS issue
CAN-2003-0623 BEA Tuxedo Administration CGI XSS issue

These are candidates for inclusion in the CVE list, which standardises
names for security problems (http://cve.mitre.org).

-- References --

[1] http://www.bea.com
[2] http://www.owasp.org
[3] http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/
    advisory03_38_00.jsp

-- Revision --

a. Initial release.
b. Revised to include vendors recommendations.

-- Distribution --

This security advisory may be freely distributed, provided that it
remains unaltered and in its original form.

-- Disclaimer --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.

Copyright 2003 Corsaire Limited. All rights reserved.



Relevant Pages