COMMAND
WebLogic
SYSTEMS AFFECTED
BEA Weblogic's Proxy
PROBLEM
Following is based on CORE-081300 Security Advisory. BEA Systems
Weblogic server provides facilities to integrate it to third
party web servers. This is accomplished by a plug-in that allows
the third party web server to proxy requests to the Weblogic
Server. As described in BEA's documentation plugins are supported
for Netscape Enterprise Server, IIS and Apache in the form of
dynamically loadable libraries.
http://www.weblogic.com/docs51/admindocs/lockdown.html
These web servers can be configured to redirect requests for
servlets and JSP files to a Weblogic server running on the same
or on a different host. Several buffer overflows in these
plugins provided by BEA Weblogic server allow a remote attacker to
execute arbitrary code on the system running the proxying web
server. The net result of this is remote execution of arbitrary
code as the user running the proxying server (generally root on
UNIX systems, SYSTEM on MS NT). For those interested a technical
description and proof of concept follow towards the end of this
advisory.
Vulnerable Packages/Systems (in each instance the particular
vulnerable binary information is provided due to the fact that is
differant for each web server/ OS):
Netscape Enterprise Webserver (NES)
===================================
NSAPI Weblogic binaries are:
NES for UNIX - libproxy.so
NES for NT - proxy30.dll, proxy35.dll, proxy36.dll
- Solaris with NES versions 3.0 to 4.1
- AIX with NES 3.6
- HP-UX 10.20 with NES version 3.6
- HP-UX 11.00 with NES version 3.6
- Windows NT with NES versions 3.0 to 4.1
Internet Information Server (IIS)
=================================
ISAPI Weblogic binaries are:
IIS - iisproxy.dll
- NT 4.0 with IIS 4.0
Apache Server
=============
ISAPI Weblogic binaries are:
Apache for UNIX - mod_wl.so, mod_wl_ssl.so, mod_wl_ssl_raven.so
- Solaris with Apache Server 1.3.9, 1.3.12
- Linux with Apache Server 1.3.9, 1.3.12
- HP-UX 11.00 with Apache Server 1.3.9, 1.3.12
- C2Net Stronghold/3.0 and Covalent Raven/1.4.3
- C2Net Stronghold/3.0 and Covalent Raven/1.4.3
- C2Net Stronghold/3.0
- Linux with Apache Server 1.3.9, 1.3.12
- HP-UX 11.00 with Apache Server 1.3.9, 1.3.12
This vulnerability was discovered by Gerardo Richarte and Hernan
Ochoa of CORE SDI S.A., Buenos Aires, Argentina.
Tests were performed using iPlanet Webserver Enterprise 4.1 as the
proxying web server. Following BEA documentation it was
configured to proxy .JSP requests to a Weblogic server on a
different host using the following configuration settings in
servername/config/obj.conf:
obj.conf:
[... text deleted ...]
<Object name=default>
[...]
Service method=(GET|HEAD|POST|PUT) type=text/jsp fn=wl-proxy\
WebLogicHost=weblogic WebLogicPort=7001 PathPrepend=/jspfiles
[....]
</Object>
[....]
The above configuration will direct the iPlanet Webserver to use
the provided library (libproxy.so) to redirect the requests for
files with extension .JSP to the WebLogic server listening on
port 7001/tcp of the host 'weblogic' The '/jspfile' string will
be prepended to the URL sent to the Weblogic host.
For example the request for
http://webserver/test.jsp?my_parameter
will become
http://weblogic:7001/jspfiles/test.jsp?my_parameter
and proxied to the WebLogic server.
Handling of the requests to be proxied is made in the wl_proxy
function of the libproxy.so library.
At wl_proxy+1812 there is a call to strcat() that tries to
concatenate the PathPrepend argument specified in the obj.conf
file with the requested URL, no bound checks are performed on the
destination buffer allocated in the stack. By providing a request
with more than 2100 characters long a buffer overflow condition
can be exploited and arbitrary code run as the user running the
proxying web server.
Explotation of the vulnerability can be difficult due to the fact
that after the overflow certain automatic variables, placed in the
stack and now corrupted by the overflow, are accessed at
wl_proxy+1896, before executing a ret instruction.
Also, the proxying web server performs some length checks of its
own on the received request and its therefore not possible to
send arbitrary long requests. However, this size limit on the
proxying web server is permissive enough to let an attacker
exploit the problem in the library.
The PathPrepend argument does not need to be set in order to
exploit the vulnerability. Unsuccessful explotation of the
problem does not lead to denial of service attacks as the web
server continues normal execution. Sample, proof of concept code:
$ perl -e 'print "GET http://webserver/test.jsp?";print "A"x2200;\
print " HTTP/1.0\n\n"'|nc weblogic 80
SOLUTION
BEA advises the to upgrade the proxy plug-in used for third-party
Web server integration. To do this, download the package at:
ftp://ftpna.bea.com/pub/releases/patches/SecurityBEA00-0500.zip (800kb)
This package includes an updated version of the proxy plug-in for
use with Netscape Enterprise Server (NES), MicrosoftInternet
Information Server (IIS), and Apache Web servers. The maximum
size of the buffer used to hold the computed URI path remains 2048
bytes. If a computed URI path is greater than the size of the
buffer, the proxy plug-in will report the error "414 - Request-URI
Too Long" to the client as suggested by the HTTP 1.1
specification. After downloading this package, open it and follow
the instructions in your version of the product for installation
procedures. BEA strongly suggests that customers apply the
remedies recommended in all their security advisories. In
addition, customers are advised to apply every Service Pack as
they are released. Service Packs include a roll up of all bug
fixes for each version of the product, as well as each of the
previously released Service Packs.