-- Corsaire Security Advisory --

Title: BEA Tuxedo Administration CGI multiple argument issues
Date: 04.07.03
Application: BEA Tuxedo 8.1 and prior
Environment: Various
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General distribution
Reference: c030704-009


-- Scope --

The aim of this document is to clearly define several issues in the 
argument handling functionality of the BEA Tuxedo Administration Console 
application, as supplied by BEA Systems, Inc [1]. 


-- History --

Vendor notified: 04.07.03 
Document released: 31.10.03


-- Overview --

The BEA Tuxedo Administration Console is a CGI application that allows 
the remote administration of Tuxedo functions. One of the start-up 
arguments it accepts is a path to an INI file containing environmental 
settings. By entering various path values into this argument it is 
possible to:

- Confirm the existence of files outside of the web server environment.
- Cause a Denial of Services (DoS) on the web server host.
- Execute a cross-site scripting (XSS) attack through the application.


-- Analysis --

The BEA Tuxedo Administration Console is a CGI application that allows 
the remote administration of Tuxedo functions. One of the start-up 
arguments that this CGI application accepts is a path to an INI file. 
This file contains environmental variables, such as the default 
installation path of the Tuxedo application etc.  

The INIFILE argument appears not to be checked for any basic formatting 
issues such as a path outside of the web root, the use of device names, 
or for the presence of HTML constructs. 

By entering various path values into the INIFILE argument it is possible 
to use the Administration Console to confirm the existence of files 
outside of the web server environment, including those on different 
logical filesystems and even network drives. Through this approach it is 
possible to enumerate files, drives and hosts that are contactable by 
the target web server, so that they might be used with other exploits. 

By using standard device names (CON, AUX, COM1, COM2 etc) within the 
arguments, the server thread will become unresponsive until the 
service/daemon is restarted. 

By using HTML constructs, mobile code such as JAVA can be executed 
within the users context. This style of attack can be used to gain 
access to sensitive information, such as session cookies etc.


-- Proof of concept --

This proof of concept is known to work with a default BEA Tuxedo 
installation on a Windows platform. To make it work within different 
environments, you may need to alter the path used in the URL 
appropriately.

To replicate the XSS issue, initiate a connection to the server that is 
hosting the Tuxedo application, then use the following URL. 

   http://host/udataobj/webgui/cgi-bin/tuxadm.exe?
   INIFILE=<script>alert('XSS')</script>

This should result in an error, accompanied by a popup script dialog 
containing the message "XSS".


-- Recommendations --

The application should be reviewed in line with security best practises, 
such as those recommended by the OWASP project [2], with special 
consideration paid to the validation of input and output fields.

Access to administrative tools such as this should be restricted to 
trusted domains only and where possible, should also be protected by 
additional measures, such as strong authentication. 

BEA have released an advisory (BEA03-38.00) [3] detailing the 
availability of a patch to correct the issues. This should be reviewed 
and if found to be suitable, the patch should be applied. 


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
Multiple numbers to this issue: 

CAN-2003-0621 BEA Tuxedo Administration CGI file disclosure issue
CAN-2003-0622 BEA Tuxedo Administration CGI DoS issue
CAN-2003-0623 BEA Tuxedo Administration CGI XSS issue

These are candidates for inclusion in the CVE list, which standardises 
names for security problems (http://cve.mitre.org). 


-- References --

[1] http://www.bea.com
[2] http://www.owasp.org
[3] http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/
    advisory03_38_00.jsp


-- Revision --

a. Initial release.
b. Revised to include vendors recommendations.


-- Distribution --

This security advisory may be freely distributed, provided that it 
remains unaltered and in its original form. 


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.


Copyright 2003 Corsaire Limited. All rights reserved.