Home page logo
/

bugtraq logo Bugtraq mailing list archives

S21SEC-011 - Multiple vulnerabilities in BEA WebLogic Server
From: "Lluis Mora" <llmora () s21sec com>
Date: Mon, 17 Mar 2003 18:30:48 +0100

###############################################################
ID: S21SEC-011-en
Title: Multiple vulnerabilities in BEA WebLogic Server
Date: 7/01/2003
Status: Patch published
Scope: Remote command execution
Platforms: Linux, Windows 2000, probably others
Author: llmora
Location: http://www.s21sec.com/en/avisos/s21sec-011-en.txt
Release: Public
###############################################################

                                S 2 1 S E C

                           http://www.s21sec.com

                   Multiple vulnerabilities in BEA WebLogic Server


About BEA WebLogic Server
-------------------------
WebLogic Server is a quite extended BEA J2EE applications server
(http://www.bea.com).

Vulnerabilities description
---------------------------
WebLogic offers a web management console through which you can manage the
web server contents, load servlets, etc. One of the  functionalities it
offers is that you can upload  files to the remote server for its
publication.

The process in charge of managing the file upload validates the user
credentials and then calls an internal weblogic servlet  to upload the file,
that does not require any authentication. This internal servlet can be
publically accessed and therefore  it is possible to upload files to the
server without any kind of authentication.

Files can be uploaded to any location in the remote server, not limiting to
the tree of WebLogic directories
 (in Windows 2000 it is possible to upload files to any disk drive).

If you know the directory where the Weblogic server applications have been
installed (such as in a default installation)  there is the possibility to
upload a malicious application that will allow an attacker to execute
commands with the  premissions of the user executing the Weblogic server.


Additionally, the internal servlet offers different operations that allow,
without any authentication:

* Download arbitrary files from the remote server
* Obtain the users, groups and passwords (salted and hashed) of WebLogic

Affected Versions and platforms
-------------------------------

These vulnerabilities have been verified to work in the WebLogic version for
Windows and Linux, although we think that they  are not specific to the
platform.

The current vulnerabilities vary in the different versions, the following
table shows which vulnerabilities are present in  each version:

                        UPLOAD     DOWNLOAD    PASSWORD

   WebLogic 6.0           X                       X
   WebLogic 6.1           X           X           X
   WebLogic 7.0                       X

The WebLogic Server 5.1 version does not present any of the previously
mentioned vulnerabilities.

Solution
--------
The vendor was notified and published a patch to solve these
vulnerabilities. More information on how to get and install the  patch can
be found in BEA's security advisory BEA03-28.00
(http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-28.jsp
).

If upgrading is not an option, there is a temporary workaround for the
problem which consists in the installation of a  ConnectionFilter class to
filter out requests to the administration server, avoiding explotation of
the vulnerability from  the outside world.

In order to apply this workaround the administration and application servers
must be running on separate ports. Once they are  separated the
ConnectionFilter will filter connections based on the request source
address.

S21SEC developed a ConnectionFilter class that allows filtering based on the
source address and destination port. This filter  along with detailed
instructions on how to install and configure the filter can be downloaded
for free from the downloads  section in S21SEC website, at:

  http://www.s21sec.com/download/s21sec-weblogic-connectionfilter-1.0.tar.gz

Alternatively, connections to the administrative server can be filtered by
using an IP filtering device.

Additional information
----------------------

These vulnerabilities have been found and researched by:

 Lluis Mora             llmora () s21sec com

You can find the latest version of this advisory at:

        http://www.s21sec.com/en/avisos/s21sec-011-en.txt

And other S21SEC advisories at http://www.s21sec.com/en/avisos/



  By Date           By Thread  

Current thread:
  • S21SEC-011 - Multiple vulnerabilities in BEA WebLogic Server Lluis Mora (Mar 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault