lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <009401c39fa7$47c1e4b0$496480c1@vegetab1e.org>
From: advisories at corsaire.com (advisories)
Subject: Corsaire Security Advisory: BEA Tuxedo Administration CGI multiple
 argument issues

-- Corsaire Security Advisory --

Title: BEA Tuxedo Administration CGI multiple argument issues
Date: 04.07.03
Application: BEA Tuxedo 8.1 and prior
Environment: Various
Author: Martin O'Neal [martin.oneal@...saire.com]
Audience: General distribution
Reference: c030704-009


-- Scope --

The aim of this document is to clearly define several issues in the 
argument handling functionality of the BEA Tuxedo Administration Console 
application, as supplied by BEA Systems, Inc [1]. 


-- History --

Vendor notified: 04.07.03 
Document released: 31.10.03


-- Overview --

The BEA Tuxedo Administration Console is a CGI application that allows 
the remote administration of Tuxedo functions. One of the start-up 
arguments it accepts is a path to an INI file containing environmental 
settings. By entering various path values into this argument it is 
possible to:

- Confirm the existence of files outside of the web server environment.
- Cause a Denial of Services (DoS) on the web server host.
- Execute a cross-site scripting (XSS) attack through the application.


-- Analysis --

The BEA Tuxedo Administration Console is a CGI application that allows 
the remote administration of Tuxedo functions. One of the start-up 
arguments that this CGI application accepts is a path to an INI file. 
This file contains environmental variables, such as the default 
installation path of the Tuxedo application etc.  

The INIFILE argument appears not to be checked for any basic formatting 
issues such as a path outside of the web root, the use of device names, 
or for the presence of HTML constructs. 

By entering various path values into the INIFILE argument it is possible 
to use the Administration Console to confirm the existence of files 
outside of the web server environment, including those on different 
logical filesystems and even network drives. Through this approach it is 
possible to enumerate files, drives and hosts that are contactable by 
the target web server, so that they might be used with other exploits. 

By using standard device names (CON, AUX, COM1, COM2 etc) within the 
arguments, the server thread will become unresponsive until the 
service/daemon is restarted. 

By using HTML constructs, mobile code such as JAVA can be executed 
within the users context. This style of attack can be used to gain 
access to sensitive information, such as session cookies etc.


-- Proof of concept --

This proof of concept is known to work with a default BEA Tuxedo 
installation on a Windows platform. To make it work within different 
environments, you may need to alter the path used in the URL 
appropriately.

To replicate the XSS issue, initiate a connection to the server that is 
hosting the Tuxedo application, then use the following URL. 

   http://host/udataobj/webgui/cgi-bin/tuxadm.exe?
   INIFILE=<script>alert('XSS')</script>

This should result in an error, accompanied by a popup script dialog 
containing the message "XSS".


-- Recommendations --

The application should be reviewed in line with security best practises, 
such as those recommended by the OWASP project [2], with special 
consideration paid to the validation of input and output fields.

Access to administrative tools such as this should be restricted to 
trusted domains only and where possible, should also be protected by 
additional measures, such as strong authentication. 

BEA have released an advisory (BEA03-38.00) [3] detailing the 
availability of a patch to correct the issues. This should be reviewed 
and if found to be suitable, the patch should be applied. 


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
Multiple numbers to this issue: 

CAN-2003-0621 BEA Tuxedo Administration CGI file disclosure issue
CAN-2003-0622 BEA Tuxedo Administration CGI DoS issue
CAN-2003-0623 BEA Tuxedo Administration CGI XSS issue

These are candidates for inclusion in the CVE list, which standardises 
names for security problems (http://cve.mitre.org). 


-- References --

[1] http://www.bea.com
[2] http://www.owasp.org
[3] http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/
    advisory03_38_00.jsp


-- Revision --

a. Initial release.
b. Revised to include vendors recommendations.


-- Distribution --

This security advisory may be freely distributed, provided that it 
remains unaltered and in its original form. 


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.


Copyright 2003 Corsaire Limited. All rights reserved. 



----------------------------------------------------------------------
CONFIDENTIALITY:  This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited.  If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
----------------------------------------------------------------------
DISCLAIMER:  Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
----------------------------------------------------------------------
Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF
Telephone: +44(0)1483-226000  Email:info@...saire.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ