The BEA Tuxedo Administration Console is a CGI application that allows the remote administration of Tuxedo functions. One of the start-up arguments it accepts is a path to an INI file containing environmental settings. By entering various path values into this argument, it is possible to:
- Confirm the existence of files outside of the web server environment.
- Cause a Denial of Services (DoS) on the web server host.
- Execute a cross-site scripting (XSS) attack through the application.
Vulnerable systems:
* BEA Tuxedo version 8.1 and prior
The BEA Tuxedo Administration Console is a CGI application that allows the remote administration of Tuxedo functions. One of the start-up arguments that this CGI application accepts is a path to an INI file. This file contains environmental variables, such as the default installation path of the Tuxedo application etc.
The INIFILE argument appears not to be checked for any basic formatting issues such as a path outside of the web root, the use of device names, or for the presence of HTML constructs.
By entering various path values into the INIFILE argument it is possible to use the Administration Console to confirm the existence of files outside of the web server environment, including those on different logical file systems and even network drives. Through this approach it is possible to enumerate files, drives and hosts that are contactable by the target web server, so that they might be used with other exploits.
By using standard device names (CON, AUX, COM1, COM2 etc) within the arguments, the server thread will become unresponsive until the service/daemon is restarted.
By using HTML constructs, mobile code such as JAVA can be executed within the user's context. This style of attack can be used to gain access to sensitive information, such as session cookies etc.
Proof of concept:
This proof of concept is known to work with a default BEA Tuxedo installation on a Windows platform. To make it work within different environments, you may need to alter the path used in the URL appropriately.
To replicate the XSS issue, initiate a connection to the server that is hosting the Tuxedo application, and then use the following URL. http://host/udataobj/webgui/cgi-bin/tuxadm.exe?INIFILE=< script>alert('XSS')</script>
This should result in an error, accompanied by a popup script dialog containing the message "XSS".
Recommendations:
The application should be reviewed in line with security best practices, such as those recommended by the OWASP project, with special consideration paid to the validation of input, and output fields.
Access to administrative tools such as this should be restricted to trusted domains only and where possible, should be protected by additional measures, such as strong authentication.
BEA have released an advisory (BEA03-38.00) detailing the availability of a patch to correct the issues. This should be reviewed and if found to be suitable, the patch should be applied.
