##############################################################

                    - S21Sec Advisory -

##############################################################

   Title:   Infinite invalid authentication attempts possible in BEA
WebLogic Server
      ID:   S21SEC-040-en
Severity:   Medium
   Scope:   BEA Weblogic
Platforms:   All
  Author:   rpinuaga@s21sec.com
     URL:   http://www.s21sec.com/avisos/s21sec-040-en.txt
 Release:   Public



[ SUMMARY ]

It's possible to launch a credentials brute force attack against known
users through an internal servlet that permits the bypass of the user
locking mechanism.


[ AFFECTED VERSIONS ]

The vulnerability was confirmed on:
7.0sp6
8.1sp4
9.0sp2

Versions 6 and previous are not vulnerable.


[ DESCRIPTION ]

BEA WebLogic Server is the world leading application server software.

To avoid credential brute force attacks, Weblogic server have a locking
mechanism that lock the corresponding account after some invalid login
attempts.

The default lock shots if 5 invalid login attempts were made. The lock
remains 30 minutes.

S21SEC has found that exists an internal servlet that allow the guess of
valid credentials even if the attacked account is locked.

This allows infinite invalid authentication attempts against an account.
When the correct credentials are guessed, it's only needed to wait for the
account to unlock and then logon into the server.

The affected servlet is:

/wl_management_internal1/LogfileSearch (Version 7 & 8)
/bea_wls_diagnostics/accessor (Version 9)


[ WORKAROUND ]

BEA has released an advisory about this vulnerability. Updates and more
information are available at Bea website:

http://dev2dev.bea.com/pub/advisory/271

[ ACKNOWLEDGMENTS ]

This vulnerability has been found and researched by:

Ramon Pinuaga Cascales <rpinuaga_AT_s21sec.com>


[ REFERENCES ]

http://dev2dev.bea.com/pub/advisory/271