COMMAND

    WebLogic

SYSTEMS AFFECTED

    BEA Weblogic's Proxy

PROBLEM

    Following is based on CORE-081300 Security Advisory.  BEA  Systems
    Weblogic  server  provides  facilities  to  integrate  it to third
    party web servers.  This is accomplished by a plug-in that  allows
    the  third  party  web  server  to  proxy requests to the Weblogic
    Server.  As described in BEA's documentation plugins are supported
    for Netscape  Enterprise Server,  IIS and  Apache in  the form  of
    dynamically loadable libraries.

        http://www.weblogic.com/docs51/admindocs/lockdown.html

    These  web  servers  can  be  configured  to redirect requests for
    servlets and JSP  files to a  Weblogic server running  on the same
    or  on  a  different  host.   Several  buffer  overflows  in these
    plugins provided by BEA Weblogic server allow a remote attacker to
    execute  arbitrary  code  on  the  system running the proxying web
    server.  The net result  of this is remote execution  of arbitrary
    code as the  user running the  proxying server (generally  root on
    UNIX systems, SYSTEM on MS NT).  For those interested a  technical
    description and proof  of concept follow  towards the end  of this
    advisory.

    Vulnerable  Packages/Systems  (in  each  instance  the  particular
    vulnerable binary information is provided due to the fact that  is
    differant for each web server/ OS):

    Netscape Enterprise Webserver (NES)
    ===================================
    NSAPI Weblogic binaries are:

        NES for UNIX - libproxy.so
        NES for NT - proxy30.dll, proxy35.dll, proxy36.dll
        - Solaris with NES versions 3.0 to 4.1
        - AIX with NES 3.6
        - HP-UX 10.20 with NES version 3.6
        - HP-UX 11.00 with NES version 3.6
        - Windows NT with NES versions 3.0 to 4.1

    Internet Information Server (IIS)
    =================================
    ISAPI Weblogic binaries are:

        IIS - iisproxy.dll
        - NT 4.0 with IIS 4.0

    Apache Server
    =============
    ISAPI Weblogic binaries are:

        Apache for UNIX - mod_wl.so, mod_wl_ssl.so, mod_wl_ssl_raven.so
        - Solaris with Apache Server 1.3.9, 1.3.12
        - Linux with Apache Server 1.3.9, 1.3.12
        - HP-UX 11.00 with Apache Server 1.3.9, 1.3.12
        - C2Net Stronghold/3.0 and Covalent Raven/1.4.3
        - C2Net Stronghold/3.0 and Covalent Raven/1.4.3
        - C2Net Stronghold/3.0
        - Linux with Apache Server 1.3.9, 1.3.12
        - HP-UX 11.00 with Apache Server 1.3.9, 1.3.12

    This vulnerability was discovered  by Gerardo Richarte and  Hernan
    Ochoa of CORE SDI S.A., Buenos Aires, Argentina.

    Tests were performed using iPlanet Webserver Enterprise 4.1 as the
    proxying  web  server.    Following  BEA   documentation  it   was
    configured  to  proxy  .JSP  requests  to  a  Weblogic server on a
    different  host  using  the  following  configuration  settings in
    servername/config/obj.conf:

        obj.conf:
        [... text deleted ...]
        <Object name=default>
        [...]
        Service method=(GET|HEAD|POST|PUT) type=text/jsp fn=wl-proxy\
         WebLogicHost=weblogic WebLogicPort=7001 PathPrepend=/jspfiles
        [....]
        </Object>
        [....]

    The above configuration will  direct the iPlanet Webserver  to use
    the provided  library (libproxy.so)  to redirect  the requests for
    files  with  extension  .JSP  to  the WebLogic server listening on
    port 7001/tcp of  the host 'weblogic'  The '/jspfile' string  will
    be prepended to the URL sent to the Weblogic host.

    For example the request for

        http://webserver/test.jsp?my_parameter

    will become

        http://weblogic:7001/jspfiles/test.jsp?my_parameter

    and proxied to the WebLogic server.

    Handling of  the requests  to be  proxied is  made in the wl_proxy
    function of the libproxy.so library.

    At  wl_proxy+1812  there  is  a  call  to  strcat()  that tries to
    concatenate  the  PathPrepend  argument  specified in the obj.conf
    file with the requested URL, no bound checks are performed on  the
    destination buffer allocated in the stack.  By providing a request
    with more than  2100 characters long  a buffer overflow  condition
    can be exploited  and arbitrary code  run as the  user running the
    proxying web server.

    Explotation of the vulnerability can be difficult due to the  fact
    that after the overflow certain automatic variables, placed in the
    stack  and  now  corrupted  by  the  overflow,  are  accessed   at
    wl_proxy+1896, before executing a ret instruction.

    Also, the proxying web server  performs some length checks of  its
    own on  the received  request and  its therefore  not possible  to
    send arbitrary  long requests.   However, this  size limit  on the
    proxying  web  server  is  permissive  enough  to  let an attacker
    exploit the problem in the library.

    The  PathPrepend  argument  does  not  need  to be set in order to
    exploit  the  vulnerability.   Unsuccessful  explotation  of   the
    problem does  not lead  to denial  of service  attacks as  the web
    server continues normal execution.  Sample, proof of concept code:

        $ perl -e 'print "GET http://webserver/test.jsp?";print "A"x2200;\
          print " HTTP/1.0\n\n"'|nc weblogic 80

SOLUTION

    BEA advises the to upgrade the proxy plug-in used for  third-party
    Web server integration.  To do this, download the package at:

        ftp://ftpna.bea.com/pub/releases/patches/SecurityBEA00-0500.zip (800kb)

    This package includes an updated version of the proxy plug-in  for
    use  with  Netscape  Enterprise  Server  (NES),  MicrosoftInternet
    Information Server  (IIS), and  Apache Web  servers.   The maximum
    size of the buffer used to hold the computed URI path remains 2048
    bytes.  If  a computed URI  path is greater  than the size  of the
    buffer, the proxy plug-in will report the error "414 - Request-URI
    Too  Long"  to   the  client  as   suggested  by  the   HTTP   1.1
    specification.  After downloading this package, open it and follow
    the instructions in your  version of the product  for installation
    procedures.   BEA  strongly  suggests  that  customers  apply  the
    remedies  recommended  in  all  their  security  advisories.    In
    addition, customers  are advised  to apply  every Service  Pack as
    they are released.   Service Packs include  a roll up  of all  bug
    fixes for  each version  of the  product, as  well as  each of the
    previously released Service Packs.