Code
Advisories

Tested Versions:

Servlet Exec 5.0p06 on Microsoft IIS 6.0

Minded Security ReferenceID:

MSA260209

Credits:

Discovered by
Stefano Di Paola and Giorgio Fedon of Minded Security
Stefano Di Paola stefano.dipaola [_at_] mindedsecurity.com discovered the
first issue (Path Traversal) and
Giorgio Fedon giorgio.fedon [_at_] mindedsecurity.com discovered the second
issue (Authentication Bypass)

Severity:

High: Attackers may be able to read application secrets stored in configuration
files or to bypass authentication on the Servlet Exec administrative interface.

Solution:

Update your installation with July 2010 hotfix:
http://www.newatlanta.com/c/products/servletexec/d…

Summary

Minded Security Consultants discovered during a penetration testing activity that New Atlanta Servlet Exec may permit to read system configuration files or to get access to system information without valid credentials.

Analysis

First Issue: Path Traversal
Minded Security consultants were able to access arbitrary files on servlet exec system path by abusing a flaw in the administration help of the ServletExec platform. In fact, by requesting the following url:

http://<webserver>/servlet/pagecompile._admin._hel…
page=../../WEB-INF/web.xml

It’s possible to download the “web.xml” file of an application.

Second issue: Authentication Bypass
Furthermore we discovered that some functionalities of the Servlet Exec Administrative Interface can be accessed without any valid user credential. By supplying a properly crafted request to the Servlet interface, it’s possible to have direct access to precompiled JSP pages stored inside the “Servlet Exec
Admin” package.
The following request will display the login interface:

http://<webserver>/servlet/pagecompile._admin._log…

It’s very important to observe that a direct access to “Servlet Exec Administrative” functionalities, may lead to a full system compromise, if the attacker is be able to deploy his own malicious code on the protected environment.
The following request will show the system properties:

http://<webserver>/servlet/pagecompile._admin._vmS…

Other examples include, for example, the unauthorized access to the “Log Configuration”:

http://<webserver>/servlet/pagecompile._admin._SEL…

Unauthorized access to Administrative User Management panel:

http://<webserver>/servlet/pagecompile._admin._use…

Access to virtual server management:

http://<webserver>/servlet/pagecompile._admin._vir…

Access to Admin Optional packages configuration section:

http://<webserver>/servlet/pagecompile._admin._opt…

Access to Data Sources configuration section:

http://<webserver>/servlet/pagecompile._admin._dat…

Access to Admin Debug configuration section:

http://<webserver>/servlet/pagecompile._admin._deb…

Disclosure Timeline

26/02/2009 Issue found
29/04/2010 Reported to Vendor

Disclaimer

The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information.

In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Any use of this information is at the user’s own risk. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of Minded Security Research Lab. If you wish to reprint the whole or any part of this Alert in any other medium excluding
electronic medium, please e-mail research_at_mindedsecurity.com for permission.