CA Oneview Monitor "DoSave.jsp" path manipulation
This advisory is intended for CA Netegrity Siteminder Policy Manager 6.x
with Netegrity Oneview monitor installed.
Minded Security ReferenceID:
Giorgio Fedon of Minded Security
giorgio.fedon [_at_] mindedsecurity.com
High: Attackers may be able to execute arbitrary code on the remote system.
Apply thorough input validation techniques to user input in order to
prevent path manipulation via "../" and control that provided input has
no extension (e.g. ".").
In addition, we also suggest to protect this interface by default using
a password security policy.
Minded Security Consultants discovered during a penetration testing activity that Oneview monitor interface let users to save configuration settings files with arbitrary extensions (e.g. JSP). In addition an attacker could execute arbitrary JSP code since the saved file content can be partially controlled.
Minded Security consultants discovered that "/sitemindermonitor/doSave.jsp" is prone to a path manipulation issue.
Users may be able to save configuration settings in different destination paths with an arbitrary extension. Since the configuration file content can be partially controlled, an attacker could be able to execute arbitrary JSP code.
One View Monitor is shipped with a default installation of CA Siteminder 6.0 Sp5 and is included with CA Siteminder Policy Editor. By default Oneview Monitor configuration files are saved in "/siteminder/monitor/settings". Siteminder Monitor is a single user application, if no password is set, anybody may be able to perform the following attack. First of all an attacker should add a Custom Table (newtable) with the jsp code to be executed, using a HTTP Request like the following one:
UserÂAgent: Mozilla/5.0 (X11; U; Linux x86_64; it; rv:188.8.131.52)
Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8
The previous simple code will print on screen "JSP Code Execution":
<%@ page import="java.io.*" %>
<%@ page import="java.util.*" %>
<% out.println("Jsp Code Execution"); %>
The following request will create a new Jsp page that contains our JSP code:
The previous request will create a new file called "attacksample.jsp" in "d:\<programs>\siteminder\monitor\attacksample.jsp"; An attacker can now request the new file through the following http request:
The output will be the following one:
ï¿½[ZWÂ 9 Ì§]Ã¢ï¿½ï¿½xpï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½uqï¿½~ï¿½
ï¿½ï¿½ï¿½tï¿½pAuthorizeCount / sec
JSP Code Execution
An attacker could step on with further attacks, such as executing processes on the remote system or getting direct filesystem access.
10/04/2010 Issue found
29/04/2010 Reported to Vendor
10/06/2010 Vendor Response Not A Bug (Function as Designed: see
23/06/2010 Public Disclosure
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Any use of this information is at the user's own risk. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of Minded Security Research Lab. If you wish to reprint the whole or any part of this Alert in any other medium excluding
electronic medium, please e-mail research_at_mindedsecurity.com for permission.
Copyright (c) 2010 Minded Security, S.r.l..
All rights reserved worldwide.