tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: KPMG-2002003: Bea Weblogic DOS-device Denial of Service
Date Wed, 09 Jan 2002 06:41:08 GMT
If FileUtil.safePath works on NT/W2K, then it is easier than that.  The
attached fixes it.  I only have my W98 box here (which as you've pointed out
for once works better :), so I want to test it tommorrow on NT before I
commit.
----- Original Message -----
From: "Larry Isaacs" <Larry.Isaacs@sas.com>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Tuesday, January 08, 2002 6:47 PM
Subject: RE: KPMG-2002003: Bea Weblogic DOS-device Denial of Service


I was too optimistic after testing only with Win98.  I get the same problem
with Win2k.

As you have probably already discovered, FileUtil.savePath() blocks the
attempt to read
aux.jsp.  So getting past the version file safely should be sufficient.
Updating the mangler
looks like it would work, though the fix is only as good as our list of DOS
devices.
I'm aware of:

CON
NUL
COM1-COM9
LPT1-LPT9
AUX

Do you know of any others?

Larry

-----Original Message-----
From: Bill Barker [mailto:wbarker@wilshire.com]
Sent: Tue 1/8/2002 7:43 PM
To: Tomcat Developers List
Cc:
Subject: Re: KPMG-2002003: Bea Weblogic DOS-device Denial of Service



1.3.0_01 returns true for isFile on my Win-NT box.

I've attached the program I've been running (so as to avoid having to load
all of Tomcat.
----- Original Message -----
From: "Larry Isaacs" <Larry.Isaacs@sas.com>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Tuesday, January 08, 2002 4:01 PM
Subject: RE: KPMG-2002003: Bea Weblogic DOS-device Denial of Service


I find that isFile() returns false, at least for JDK 1.3.1 and JDK1.2.2.
I tried JDK1.1.8, but Tomcat 3.3.x wouldn't come up.  I get:

java.lang.ClassNotFoundException: org.apache.tomcat.startup.EmbededTomcat
        at org.apache.tomcat.util.compat.SimpleClassLoader.loadClass

My preference would be to build a solution on isFile() if it can be worked
out.
I still need to investigate where the test might best be applied.

Larry

-----Original Message-----
From: Bill Barker [mailto:wbarker@wilshire.com
<mailto:wbarker@wilshire.com> ]
Sent: Tue 1/8/2002 3:39 PM
To: Tomcat Developers List
Cc:
Subject: Re: KPMG-2002003: Bea Weblogic DOS-device Denial of Service

This may be too kludgy, but my quick test shows that "aux.ver"
returns -11644473600000 for lastModified.

Less kludgy would be to simply add a complete list of DOS devices to the
"keywords" that are mangled.

----- Original Message -----
From: "Larry Isaacs" <Larry.Isaacs@sas.com <mailto:Larry.Isaacs@sas.com
<mailto:Larry.Isaacs@sas.com> > >
To: "'Tomcat Developers List'" <tomcat-dev@jakarta.apache.org
<mailto:tomcat-dev@jakarta.apache.org <mailto:tomcat-dev@jakarta.apache.org>
> >
Sent: Tuesday, January 08, 2002 12:06 PM
Subject: RE: KPMG-2002003: Bea Weblogic DOS-device Denial of Service

This also causes Tomcat 3.3 to hang a thread when it
tries to read aux.ver.  Tomcat 3.2.4 doesn't appear
to have a problem and reports a "not found" error.
A quick test of Tomcat 4.0.1 returned a blank page
without hanging.
I'll investigate and prepare, if possible, a quick
patch to Tomat 3.3 and make a proposal for a
Tomcat 3.3.1 beta and release.
Thanks for relaying this.
Cheers,
Larry
> -----Original Message-----
> From: Jon Scott Stevens [mailto:jon@latchkey.com
<mailto:jon@latchkey.com> ]
> Sent: Tuesday, January 08, 2002 2:36 PM
> To: tomcat-dev
> Subject: FW: KPMG-2002003: Bea Weblogic DOS-device Denial of Service
>
>
> I'm curious how Tomcat deals with this issue.
>
> Oh yea. Yet another reason why JSP sucks. :-)
>
> -jon
>
> ------ Forwarded Message
> From: Peter Gründl <pgrundl@kpmg.dk <mailto:pgrundl@kpmg.dk
<mailto:pgrundl@kpmg.dk> > >
> Date: Tue, 8 Jan 2002 16:33:26 +0100
> To: <bugtraq@securityfocus.com <mailto:bugtraq@securityfocus.com
<mailto:bugtraq@securityfocus.com> > >
> Subject: KPMG-2002003: Bea Weblogic DOS-device Denial of Service
>
> --------------------------------------------------------------------
>
>            -=>Bea Weblogic DOS-device Denial of Service<=-
>                       courtesy of KMPG Denmark
>
> BUG-ID: 2002003          Released: 8th Jan 2002
> --------------------------------------------------------------------
> Problem:
> ========
> A flaw in the way the Bea Weblogic server handles specific requests
> containing DOS-devices can cause a Denial of Service situation,
> where web requests are no longer being serviced.
>
> Vulnerable:
> ===========
> - Bea Weblogic Server 6.1 Service Pack 1 for Windows NT/2000
> - Older releases and other pure java application servers could be
>   vulnerable, but haven't been tested.
>
> Details:
> ========
> When the Weblogic server receives a .jsp request, it invokes an
> external compiler to deal with the .jsp ressource requested. The
> server can be fooled into thinking you are requesting a valid .jsp
> ressource by simply requesting a DOS-device (such as eg. aux) and
> appending the .jsp extension to it (aux.jsp). The external compiler
> is then invoked and due to the nature of the DOS-devices, this
> working thread never finishes.
>
> The server can handle about a 10-11 working threads, so when this
> number of active threads has been reached, the server will no
> longer service any requests. Since both HTTP and HTTPS are handled
> by the same module, both are crippled if one is attacked.
>
> Vendor URL:
> ===========
> You can visit the vendors webpage here: http://www.beasys.com
<http://www.beasys.com>
<http://www.beasys.com <http://www.beasys.com> >
>
> Vendor response:
> ================
> The vendor was contacted on the 6th of November, 2001. On the 15th
> of November the vendor confirms that they have reproduced the issue
> on Windows 2000 and Windows NT. The issue is assigned the bug id:
> CR062542 by the vendor. On the 3rd of January, 2002 the vendor
> confirmed the release of the new service pack and that it included
> the patch for this issue.
>
> Corrective action:
> ==================
> Upgrade to Service Pack 2, which can be downloaded here:
> http://commerce.beasys.com <http://commerce.beasys.com>
<http://commerce.beasys.com <http://commerce.beasys.com> >
>
>
>    Author: Peter Gründl (pgrundl@kpmg.dk <mailto:pgrundl@kpmg.dk
<mailto:pgrundl@kpmg.dk> > )
>
> --------------------------------------------------------------------
> KPMG is not responsible for the misuse of the information we provide
> through our security advisories. These advisories are a service to
> the professional security community. In no event shall KPMG be lia-
> ble for any consequences whatsoever arising out of or in connection
> with the use or spread of this information.
> --------------------------------------------------------------------
>
> ------ End of Forwarded Message
>
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org> > >
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org
<mailto:tomcat-dev-help@jakarta.apache.org
<mailto:tomcat-dev-help@jakarta.apache.org> > >
--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org> > >
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org
<mailto:tomcat-dev-help@jakarta.apache.org
<mailto:tomcat-dev-help@jakarta.apache.org> > >


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org> > >
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org
<mailto:tomcat-dev-help@jakarta.apache.org
<mailto:tomcat-dev-help@jakarta.apache.org> > >




----------------------------------------------------------------------------
----


> --
> To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org> >
> For additional commands, e-mail:
<mailto:tomcat-dev-help@jakarta.apache.org
<mailto:tomcat-dev-help@jakarta.apache.org> >




----------------------------------------------------------------------------
----


> --
> To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-dev-help@jakarta.apache.org>

Mime
View raw message