Sybase EAServer 6.3.1 Directory Traversal / XXE Injection / Command Execution

2013.07.19
Credit: Gerhard Wagner, Bernhard Mueller
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-22
CWE-78

SEC Consult Vulnerability Lab Security Advisory < 20130719-0 > ======================================================================= title: Multiple vulnerabilities product: Sybase EAServer vulnerable version: <=6.3.1 fixed version: vendor did not supply version information CVE number: - impact: critical homepage: www.sybase.com found: 10/2012 by: Gerhard Wagner, Bernhard Mueller SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- Sybase EAServer fully supports all the Web services standards and enables enterprises to rapidly expose business functions as Web services. EAServer also provides a graphical interface to automate the publication and management of your companys Web services. Today, EAServer supports EJB and Java/CORBA components, CICS integrator, and database stored procedures. These stored procedures can be from all Sybases databases including ASE, SQL Anywhere, and IQ; in addition, they will support IBM, Oracle, and Microsoft. EAServer can also support iAnywhere messaging services, enabling the developer to expose these components as Web services. Business recommendation: ------------------------ The default applications that are deployed by default during the installation of Sybase EAServer should be removed. Further, it is recommended to test the patches provided by Sybase. Vulnerability overview/description: ----------------------------------- 1) Directory traversal In order to use a common web server such as IIS as a fronted and forward only certain requests to the Sybase EAServer it is a common practice to install and configure the EAServer redirector plug-in. An incoming request will be received by the web server, validated if it matches any context configured within the redirector plug-in and if so forwarded to the appropriate application context. So a request such as the following will be forwarded by the redirector plug-in in case the configuration contains such an application. https://example.com/myapp -> https://myEAServer/myapp If the request contains a path like "/\.." the redirector plug-in is not normalising the path as a part of the "myapp" application. Therefore, the request will be passed on to the Sybase EAServer where backslash as well as forward slash are valid directory separators and therefore using such a method it is possible to access all deployed applications. https://example.com/myapp/%5C../another_application 2) XML entity injection Due to insufficient input validation it is possible to pass external entity definitions to the server-side XML processor for REST requests with an XML media type. By calling the built-in function testDataTypes() an attacker can list directories and display arbitrary files on the affected system, as long as the files don't conflict with the UTF-8 encoding. 3) OS command execution The WSH service allows to run OS commands and it can only be accessed providing administrative credentials. Using the XXE vulnerability mentioned before it is potentially possible to retrieve the credentials from configuration files and run OS commands using the WSH service. Proof of concept: ----------------- 1) Directory traversal The following request allows to access the Sybase EAServer management application: https://example.com/myapp/%5C../console/Login.jsp Also the other applications that come by default with Sybase EAServer can be accessed using their respective context for example: /rest /wsh /wsf ... 2) XML entity injection The following XML message displays the contents of the drive C: on a Windows system: <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///C:\">]> <lol> <dt> <stringValue>&xxe;</stringValue> <booleanValue>0</booleanValue> </dt> </lol> 3) OS command execution Due to the potential impact the proof-of-concept has been removed. Vulnerable / tested versions: ----------------------------- The issues have been tested in Sybase EAServer 6.3.1 on Windows. Vendor contact timeline: ------------------------ 2013-03-11: Contact the vendor and provide vulnerability information 2013-06-11: Vendor fixes the issues 2013-06-28: Agreement on disclosure date 2013-07-19 2013-07-19: Public disclosure Solution: --------- According to the vendor customers can download the latest patches from http://www.sybase.com/downloads. The patches have not been tested by SEC Consult. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF G. Wagner / 2013

References:

https://www.sec-consult.com


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top