[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 598/03 - Corsaire Security Advisory



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 598/03 dated 31.10.03  Time: 10:50
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Corsaire Security Advisory:BEA Tuxedo Administration CGI multiple argument issues

Detail
====== 

The BEA Tuxedo Administration Console is a CGI application that allows 
the remote administration of Tuxedo functions. One of the start-up 
arguments that this CGI application accepts is a path to an INI file. 
This file contains environmental variables, such as the default 
installation path of the Tuxedo application etc.  

The INIFILE argument appears not to be checked for any basic formatting 
issues such as a path outside of the web root, the use of device names, 
or for the presence of HTML constructs. 



- -- Corsaire Security Advisory --

Title: BEA Tuxedo Administration CGI multiple argument issues
Date: 04.07.03
Application: BEA Tuxedo 8.1 and prior
Environment: Various
Author: Martin O'Neal [martin.oneal@xxxxxxxxxxxx]
Audience: General distribution
Reference: c030704-009


- -- Scope --

The aim of this document is to clearly define several issues in the 
argument handling functionality of the BEA Tuxedo Administration Console 
application, as supplied by BEA Systems, Inc [1]. 


- -- History --

Vendor notified: 04.07.03 
Document released: 31.10.03


- -- Overview --

The BEA Tuxedo Administration Console is a CGI application that allows 
the remote administration of Tuxedo functions. One of the start-up 
arguments it accepts is a path to an INI file containing environmental 
settings. By entering various path values into this argument it is 
possible to:

- - Confirm the existence of files outside of the web server environment.
- - Cause a Denial of Services (DoS) on the web server host.
- - Execute a cross-site scripting (XSS) attack through the application.


- -- Analysis --

The BEA Tuxedo Administration Console is a CGI application that allows 
the remote administration of Tuxedo functions. One of the start-up 
arguments that this CGI application accepts is a path to an INI file. 
This file contains environmental variables, such as the default 
installation path of the Tuxedo application etc.  

The INIFILE argument appears not to be checked for any basic formatting 
issues such as a path outside of the web root, the use of device names, 
or for the presence of HTML constructs. 

By entering various path values into the INIFILE argument it is possible 
to use the Administration Console to confirm the existence of files 
outside of the web server environment, including those on different 
logical filesystems and even network drives. Through this approach it is 
possible to enumerate files, drives and hosts that are contactable by 
the target web server, so that they might be used with other exploits. 

By using standard device names (CON, AUX, COM1, COM2 etc) within the 
arguments, the server thread will become unresponsive until the 
service/daemon is restarted. 

By using HTML constructs, mobile code such as JAVA can be executed 
within the users context. This style of attack can be used to gain 
access to sensitive information, such as session cookies etc.


- -- Proof of concept --

This proof of concept is known to work with a default BEA Tuxedo 
installation on a Windows platform. To make it work within different 
environments, you may need to alter the path used in the URL 
appropriately.

To replicate the XSS issue, initiate a connection to the server that is 
hosting the Tuxedo application, then use the following URL. 

   http://host/udataobj/webgui/cgi-bin/tuxadm.exe?
   INIFILE=<script>alert('XSS')</script>

This should result in an error, accompanied by a popup script dialog 
containing the message "XSS".


- -- Recommendations --

The application should be reviewed in line with security best practises, 
such as those recommended by the OWASP project [2], with special 
consideration paid to the validation of input and output fields.

Access to administrative tools such as this should be restricted to 
trusted domains only and where possible, should also be protected by 
additional measures, such as strong authentication. 

BEA have released an advisory (BEA03-38.00) [3] detailing the 
availability of a patch to correct the issues. This should be reviewed 
and if found to be suitable, the patch should be applied. 


- -- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
Multiple numbers to this issue: 

CAN-2003-0621 BEA Tuxedo Administration CGI file disclosure issue
CAN-2003-0622 BEA Tuxedo Administration CGI DoS issue
CAN-2003-0623 BEA Tuxedo Administration CGI XSS issue

These are candidates for inclusion in the CVE list, which standardises 
names for security problems (http://cve.mitre.org). 


- -- References --

[1] http://www.bea.com
[2] http://www.owasp.org
[3] http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/
    advisory03_38_00.jsp


- -- Revision --

a. Initial release.
b. Revised to include vendors recommendations.


- -- Distribution --

This security advisory may be freely distributed, provided that it 
remains unaltered and in its original form. 


- -- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.


Copyright 2003 Corsaire Limited. All rights reserved. 
- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Corsaire for the information
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBP6I9lIpao72zK539AQEjtAP+Il2xGQyJbyXUeJxaXXy7rLkaQnny6R3p
fXhpy4L4YN9ATKYKb9QcOxkAjpAO+6oQ2YKr9GfoV72NXfxiACrnov9Hoo70g933
i8bXhVWR/wJWmDcBdameSC0FF6ckR4xTetO2b0qv9/CUS4wseG/dCQl9Y+zpNHGz
/xD6wl+YXu0=
=PxP/
-----END PGP SIGNATURE-----