From matt@westpoint.ltd.uk Fri May 24 02:54:15 2002 From: Matt Moore To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org Date: Wed, 22 May 2002 17:11:57 +0100 Subject: [VulnWatch] Multiple vulnerabilities in NewAtlanta ServletExec ISAPI 4.1 Westpoint Security Advisory Title: Multiple vulnerabilities in NewAtlanta ServletExec ISAPI 4.1 Risk Rating: High Software: ServletExec 4.1 ISAPI / IIS 4 & 5 Platforms: Win2k / WinNT 4 Vendor URL: www.newatlanta.com Author: Matt Moore Date: 22 May 2002 Advisory ID#: wp-02-0006.txt Overview: ========= ServletExec 4.1 ISAPI is a Java Servlet/JSP Engine for Internet Information Server and is implemented as an ISAPI filter. The JSP functionality is provided by a servlet which is enabled by default and contains three security flaws. Details: ======== 1. ServletExec discloses physical path of webroot ================================================= It is possible to invoke the class 'com.newatlanta.servletexec.JSP10Servlet' directly by requesting a url such as: /servlet/com.newatlanta.servletexec.JSP10Servlet/ If no filename is supplied to it, then it returns an error message: Error. The file was not found. (filename = f:\inetpub\wwwroot\servlet\com.newatlanta.servletexec.JSP10Servlet\) disclosing the physical path of the web root. 2. JSP10Servlet allows files to be read from within IIS webroot =============================================================== By invoking the JSP10Servlet (or simply JSPServlet) using the URL described above, it is possible to read files from within the web root. It did not appear to be possible to 'break out' of the web root and read files from other parts of the file system. The path must be URL encoded for this to work. For instance, a request such as /servlet/com.newatlanta.servletexec.JSP10Servlet/..%5c..%5c\global.asa will retrieve the global.asa file, which is normally not served. 3. DoS via overly long request for .JSP file ============================================ By making a request for an overly long named .jsp file, Internet Information Server can be crashed. The denial of service condition can be triggered by either requesting an overly long named .jsp file: i.e. /servlet/AAAAAAAAAAAAAAA....AAAAAAAAAAAAAA.jsp or by invoking the JSPServlet or JSP10Servlet directly: or/servlet/com.newatlanta.servletexec.JSPServlet/AAAAAAAA....AAAA Patch Information: ================== There is a workaround for the physical path disclosure bug, which should be in the FAQ's at http://www.newatlanta.com/products/servletexec/self_help/faq_list.jsp The other issues are fixed in Patch #9 from ftp://ftp.newatlanta.com/public/4_1/patches/ Additional Information ====================== Nessus plugins are available to test for the vulnerabilities identified above, from www.nessus.org: servletExec_DoS.nasl (ID 10958) ServletExec_File_Reading.nasl (ID 10959) ServletExec_path_disclosure.nasl (ID 10960) www.westpoint.ltd.uk/advisories/wp-02-0006.txt