|
|
|
Credit:
The information has been provided by iDefense Labs Security Advisories.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=705, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=706, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=707, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=708, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=709, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=710
|
|
Vulnerable Systems:
* Sun Microsystems Inc.'s Java System Active Server Pages version 4.0.2
Immune Systems:
* Sun Microsystems Inc.'s Java System Active Server Pages version 4.0.3
Sun Java System Active Server Pages Authorization Bypass Vulnerability
Remote exploitation of design error in Sun Microsystem's Java System Active Server Pages allows attackers to bypass administration server authentication mechanisms.
The vulnerability exists due to improper design of the ASP application server. The administration application server exists as a stand-alone service that listens on TCP port 5102. By connecting directly to this service and making requests, attackers are able to bypass authentication mechanisms introduce by the administration HTTP server.
Analysis:
Exploitation allows an attacker to bypass authentication restrictions imposed by the HTTP server. No authentication is required to communicate with the affected administration application server. The attacker only needs to be able to establish a session with the administration application server on TCP port 5102.
Workaround:
In order to prevent exploitation of this vulnerability, disable administration server by executing the following command as the 'root' user.
# /opt/casp/admtool -e
Vendor response:
Sun Microsystems has addressed this vulnerability with the release of version 4.0.3 of Sun Java System Active Server Pages. For more information, refer to Sun Alert 238184 at the following URL.
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1
CVE Information:
CVE-2008-2406
Sun Java System Active Server Pages Multiple Command Injection Vulnerabilities
Remote exploitation of multiple command injection vulnerabilities in Sun Microsystem's Java System Active Server Pages allows attackers to execute arbitrary code with root privileges.
These vulnerabilities exist within several ASP applications that execute shell commands. The problem lies in the fact that these applications do not filter or escape the parameters passed to these commands. By inserting shell meta-characters into an HTTP request, an attacker is able to execute arbitrary shell commands.
Analysis:
Exploitation allows an attacker to execute arbitrary shell commands with elevated privileges. Since this server runs with root privileges, an attacker could gain complete control of the affected the system.
Note that authentication is required to reach these ASP applications via the administration server on TCP port 5100. However, several methods of bypassing and circumventing authentication have been discovered, rendering that requirement irrelevant.
Workaround:
Removing the affected ASP applications from the system can prevent exploitation of these vulnerabilities.
Additionally, using firewalls to limit access to the administration server (TCP port 5100) and the ASP application server (TCP port 5102) can help mitigate these issues.
Vendor response:
Sun Microsystems has addressed these vulnerabilities with the release of version 4.0.3 of Sun Java System Active Server Pages. For more information, refer to Sun Alert 238184 at the following URL.
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1
CVE Information:
CVE-2008-2405
Sun Java System Active Server Pages Buffer Overflow Vulnerability
Remote exploitation of a buffer overflow vulnerability in Sun Microsystem's Java System Active Server Pages allows attackers to execute arbitrary code in the context of the ASP server.
The vulnerability exists within the request handling code within the ASP server. An attacker supplied string is copied into a fixed size stack buffer without first validating that there is sufficient space available. By supplying a specially crafted request, an attacker can cause a stack-based buffer overflow.
Analysis:
Exploitation allows an attacker to execute arbitrary code in the context of the ASP server. This vulnerability can be reached from a normal web server, usually on TCP port 80, configured to pass requests for ASP applications through the ASP server. No authentication is required to exploit this vulnerability. If this service is configured to run with root privileges it is possible to gain complete control over the affected system.
Workaround:
iDefense is currently unaware of any effective workaround for this issue.
However, configuring the ASP server to run with reduced privileges can help prevent a complete compromise. This can be accomplished via the "Inherit user security" setting or setting a user and group to run with when using the "Defined user security" mode.
Vendor response:
Sun Microsystems has addressed this vulnerability with the release of version 4.0.3 of Sun Java System Active Server Pages. For more information, refer to Sun Alert 238184 at the following URL.
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1
CVE Information:
CVE-2008-2404
Sun Java System Active Server Pages Multiple Directory Traversal Vulnerabilities
Remote exploitation of multiple directory traversal vulnerabilities in Sun Microsystem's Java System Active Server Pages allows attackers to obtain the contents of, and delete, sensitive files on the system.
Both vulnerabilities exist within ASP applications included with the product. When accessed via the administration server, the ASP engine does not prevent directory traversal using the "../" construct. By supplying a specially crafted HTTP request to one of the affected ASP applications, an attacker is able to read from arbitrary files.
One of the applications will disclose only the first and third lines of the file. Once the application is finished processing the file, it will delete it.
Analysis:
Exploitation allows an attacker to gain sensitive information from the server. No authentication is required to reach the affected ASP applications. The attacker only needs to be able to establish a session with the administration server on TCP port 5100.
Since the server process runs with root privileges, an attacker could obtain the contents of, or delete, any file on the system. It is interesting to note that attempting to exploit these vulnerabilities via the web server results in an error as shown below.
[Fri Feb 23 18:16:49 2007] Server object, 80004005, ASP 0175~Disallowed Path Characters~The '..' characters are not allowed in the Path parameter for the MapPath method.
Workaround:
In order to prevent exploitation of these vulnerabilities, disable administration server by executing the following command as the 'root' user.
# /opt/casp/admtool -e
Additionally, removing the affected ASP applications will prevent exploitation of these vulnerabilities.
Vendor response:
Sun Microsystems has addressed these vulnerabilities with the release of version 4.0.3 of Sun Java System Active Server Pages. For more information, refer to Sun Alert 238184 at the following URL.
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1
CVE Information:
CVE-2008-2403
Sun Java System Active Server Pages Information Disclosure Vulnerability
Remote exploitation of an information disclosure vulnerability in Sun Microsystem's Java System Active Server Pages allows attackers to obtain sensitive information.
This vulnerability exists due to the placement of the password and configuration data within the application server root directory. By making requests for specific, sensitive documents an attacker could obtain the configuration or password hashes of allowed users.
Analysis:
Exploitation allows an attacker to gain sensitive information from the server. No authentication is required to reach the affected ASP applications. The attacker only needs to be able to establish a session with the administration server on TCP port 5100.
Workaround:
In order to prevent exploitation of this vulnerability, disable administration server by executing the following command as the 'root' user.
# /opt/casp/admtool -e
Vendor response:
Sun Microsystems has addressed this vulnerability with the release of version 4.0.3 of Sun Java System Active Server Pages. For more information, refer to Sun Alert 238184 at the following URL.
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1
CVE Information:
CVE-2008-2402
Sun Java System Active Server Pages File Creation Vulnerability
Remote exploitation of a file creation vulnerability in Sun Microsystem's Java System Active Server Pages allows attackers to execute arbitrary code with root privileges.
The vulnerability exists within a file included by several ASP applications. This file provides a function that will write the contents contained within its first parameter to a file specified by its second parameter. Several ASP applications allow an attacker to control both the content and the location of the file written.
Analysis:
Exploitation allows an attacker to create, or append to, arbitrary files on the system with root privileges. No authentication is required to reach the affected ASP applications. The attacker only needs to be able to establish a session with the administration server on TCP port 5100.
Workaround:
In order to prevent exploitation of this vulnerability, disable administration server by executing the following command as the 'root' user.
# /opt/casp/admtool -e
Additionally, removing the affected ASP applications will prevent exploitation.
Vendor response:
Sun Microsystems has addressed this vulnerability with the release of version 4.0.3 of Sun Java System Active Server Pages. For more information, refer to Sun Alert 238184 at the following URL.
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1
CVE Information:
CVE-2008-2401
|
|
|
|