lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <32546.83.175.204.210.1203936034.squirrel@mail.s21sec.com>
Date: Mon, 25 Feb 2008 11:40:34 +0100 (CET)
From: "S21sec labs" <s21seclabs@...sec.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: S21SEC-040-en: Infinite invalid authentication attempts possible 
     in BEA WebLogic Server

##############################################################

                    - S21Sec Advisory -

##############################################################

   Title:   Infinite invalid authentication attempts possible in BEA
WebLogic Server
      ID:   S21SEC-040-en
Severity:   Medium
   Scope:   BEA Weblogic
Platforms:   All
  Author:   rpinuaga@...sec.com
     URL:   http://www.s21sec.com/avisos/s21sec-040-en.txt
 Release:   Public



[ SUMMARY ]

It's possible to launch a credentials brute force attack against known
users through an internal servlet that permits the bypass of the user
locking mechanism.


[ AFFECTED VERSIONS ]

The vulnerability was confirmed on:
7.0sp6
8.1sp4
9.0sp2

Versions 6 and previous are not vulnerable.


[ DESCRIPTION ]

BEA WebLogic Server is the world leading application server software.

To avoid credential brute force attacks, Weblogic server have a locking
mechanism that lock the corresponding account after some invalid login
attempts.

The default lock shots if 5 invalid login attempts were made. The lock
remains 30 minutes.

S21SEC has found that exists an internal servlet that allow the guess of
valid credentials even if the attacked account is locked.

This allows infinite invalid authentication attempts against an account.
When the correct credentials are guessed, it's only needed to wait for the
account to unlock and then logon into the server.

The affected servlet is:

/wl_management_internal1/LogfileSearch (Version 7 & 8)
/bea_wls_diagnostics/accessor (Version 9)


[ WORKAROUND ]

BEA has released an advisory about this vulnerability. Updates and more
information are available at Bea website:

http://dev2dev.bea.com/pub/advisory/271

[ ACKNOWLEDGMENTS ]

This vulnerability has been found and researched by:

Ramon Pinuaga Cascales <rpinuaga_AT_s21sec.com>


[ REFERENCES ]

http://dev2dev.bea.com/pub/advisory/271

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ