BEA Weblogic server proxy library vulnerabilities

[Iván Arce <iarce () CORE-SDI COM>]

                               CORE SDI
                        http://www.core-sdi.com

                Vulnerability Report For BEA Weblogic's Proxy


Date Published: August 15, 2000

Advisory ID: CORE-081300

Bugtraq ID: 1570

CVE CAN: None currently assigned.

Title: BEA Weblogic Multiple Buffer Overflow Vulnerabilities

Class: Boundary Error Condition (Buffer Overflow)

Remotely Exploitable: Yes

Locally Exploitable: Yes

Vulnerability Description:

BEA Systems Inc. Weblogic server provides facilities to integrate it to
third party web servers. This is accomplished by a plug-in that allows
the
third party web server to proxy requests to the Weblogic Server. As
described in BEA's documentation plugins are supported for Netscape
Enterprise Server, IIS and Apache in the form of dynamically loadable
libraries.

        http://www.weblogic.com/docs51/admindocs/lockdown.html

These web servers can be configured to redirect requests for servlets
and
JSP files to a Weblogic server running on the same or on a different
host.
Several buffer overflows in these plugins provided by BEA Weblogic
server
allow a remote attacker to execute arbitrary code on the system running
the proxying web server. The net result of this is remote execution of
arbitrary code as the user running the proxying server (generally root
on
UNIX systems, SYSTEM on MS NT). For those interested a technical
description and proof of concept follow towards the end of this
advisory.

Vulnerable Packages/Systems:

In each instance the particular vulnerable binary information is
provided
due to the fact that is differant for each web server/ OS.

Netscape Enterprise Webserver (NES)
-----------------------------------

NSAPI Weblogic binaries are:

NES for UNIX - libproxy.so
NES for NT - proxy30.dll, proxy35.dll, proxy36.dll

 - Solaris with NES versions 3.0 to 4.1
 - AIX with NES 3.6
 - HP-UX 10.20 with NES version 3.6
 - HP-UX 11.00 with NES version 3.6
 - Windows NT with NES versions 3.0 to 4.1

Internet Information Server (IIS)
---------------------------------


ISAPI Weblogic binaries are:

IIS - iisproxy.dll

 - NT 4.0 with IIS 4.0


Apache Server
-------------

ISAPI Weblogic binaries are:

Apache for UNIX - mod_wl.so, mod_wl_ssl.so, mod_wl_ssl_raven.so

 - Solaris with Apache Server 1.3.9, 1.3.12
 - Linux with Apache Server 1.3.9, 1.3.12
 - HP-UX 11.00 with Apache Server 1.3.9, 1.3.12
 - C2Net Stronghold/3.0 and Covalent Raven/1.4.3
 - C2Net Stronghold/3.0 and Covalent Raven/1.4.3
 - C2Net Stronghold/3.0
 - Linux with Apache Server 1.3.9, 1.3.12
 - HP-UX 11.00 with Apache Server 1.3.9, 1.3.12

Solution/Vendor Information/Workaround:


BEA advises the following:
Version: BEA WebLogic Server and Express 5.1.x, 4.5.x standalone version
         or as part of BEA WebLogic Enterprise 5.1 on all OS platforms
Action : Upgrade the proxy plug-in used for third-party Web server
integration.
         To do this, download the package at:
         ftp://ftpna.bea.com/pub/releases/patches/SecurityBEA00-0500.zip
(800kb)

This package includes an updated version of the proxy plug-in for use
with Netscape
Enterprise Server (NES), MicrosoftInternet Information Server (IIS), and
Apache
Web servers. The maximum size of the buffer used to hold the computed
URI path remains 2048 bytes. If a computed URI path is greater than the
size of the buffer,
the proxy plug-in will report the error "414 - Request-URI Too Long" to
the client as
suggested by the HTTP 1.1 specification.
After downloading this package, open it and follow the instructions in
your version of
the product for installation procedures.
BEA strongly suggests that customers apply the remedies recommended in
all their
security advisories. In addition, customers are advised to apply every
Service Pack as
they are released. Service Packs include a roll up of all bug fixes for
each version of the product, as well as each of the previously released
Service Packs.

Additionally, advisories and information on security issues
of BEA products can be obtained from:

        http://developer.bea.com/alerts/index.html
        http://www.securityfocus.com/bid/1525
        http://www.securityfocus.com/bid/1518
        http://www.securityfocus.com/bid/1517
        http://www.securityfocus.com/bid/1378
        http://www.securityfocus.com/bid/1328



Vendor notified on: Aug. 24th, 2000

Credits:

This vulnerability was discovered by Gerardo Richarte and
Hernan Ochoa of CORE SDI S.A., Buenos Aires, Argentina.

We wish to thank BEA Systems Inc. from their prompt response to
the problem report.

This advisory was drafted with the help of the SecurityFocus.com
Vulnerability
Help Team. For more information or assistance drafting advisories please
mail
vulnhelp () securityfocus com.


Technical Description - Exploit/Concept Code:

Tests were performed using iPlanet Webserver Enterprise 4.1 as the
proxying web server. Following BEA documentation it was configured to
proxy .JSP requests to a Weblogic server on a different host using the
following configuration settings in servername/config/obj.conf:

obj.conf:
[... text deleted ...]
<Object name=default>
[...]
Service method=(GET|HEAD|POST|PUT) type=text/jsp fn=wl-proxy\
 WebLogicHost=weblogic WebLogicPort=7001 PathPrepend=/jspfiles
[....]
</Object>
[....]

The above configuration will direct the iPlanet Webserver to use the
provided library (libproxy.so) to redirect the requests for files with
extension .JSP to the WebLogic server listening on port 7001/tcp of the
host 'weblogic' The '/jspfile' string will be prepended to the URL sent
to
the Weblogic host.

For example the request for 'http://webserver/test.jsp?my_parameter&apos;
will
become 'http://weblogic:7001/jspfiles/test.jsp?my_parameter&apos; and proxied
to the WebLogic server.

Handling of the requests to be proxied is made in the wl_proxy function
of
the libproxy.so library.

At wl_proxy+1812 there is a call to strcat() that tries to concatenate
the
PathPrepend argument specified in the obj.conf file with the requested
URL, no bound checks are performed on the destination buffer allocated
in
the stack. By providing a request with more than 2100 characters long a
buffer overflow condition can be exploited and arbitrary code run as the
user running the proxying web server.

Explotation of the vulnerability can be difficult due to the fact that
after the overflow certain automatic variables, placed in the stack and
now corrupted by the overflow, are accessed at wl_proxy+1896, before
executing a ret instruction.

Also, the proxying web server performs some length checks of its own on
the received request and its therefore not possible to send arbitrary
long
requests. However, this size limit on the proxying web server is
permissive enough to let an attacker exploit the problem in the library.

The PathPrepend argument does not need to be set in order to exploit the
vulnerability

Unsuccessful explotation of the problem does not lead to denial of
service
attacks as the web server continues normal execution.

Sample, proof of concept code:

$ perl -e 'print "GET http://webserver/test.jsp?";print "A"x2200;\
  print " HTTP/1.0\n\n"'|nc weblogic 80

note: wrapped for readability


DISCLAIMER:

The contents of this advisory are copyright (c) 2000 CORE SDI S.A. and
may be
distributed freely provided that no fee is charged for this distribution
and
proper credit is given.


--
"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 It's nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce


==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email   : iarce () core-sdi com
http://www.core-sdi.com
Pte. Juan D. Peron 315 Piso 4 UF 17
1038 Capital Federal
Buenos Aires, Argentina.              Tel/Fax : +(54-11) 4331-5402
Casilla de Correos 877 (1000) Correo Central
=====================================================================