IRM 005: JWalk Application Server Version 3.2c9 Directory Traversal Vulnerability

[IRM Advisories <advisories () irmplc com>]

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
IRM Security Advisory No. 005

JWALK application server version 3.2C9 Directory Traversal Vulnerability

Vulnerablity Type / Importance: Information Leakage / High

Problem discovered: November 28th 2002
Vendor contacted: November 28th 2002
Advisory published: March 20th 2003
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Abstract:
~~~~~~~~~

"JWalk is a complete development and deployment solution that includes point-and-click developer’s tools, specialized 
server software and self-updating thin client viewer software." - quote from Seagull software product documentation.

The Java-based product is supplied with a proprietary web server, and by using a browser it is possible to alter the 
URL to permit the contents of any file on the system to be viewed even those situated outside the web root. Using this 
method it is possible to view important configuration files including the "sam._" file which contains the Windows 
password database.


Description:
~~~~~~~~~~~~

Recently during a penetration test IRM identified a serious security vulnerability with the Jwalk application web 
server version 3.2C9. It appears that by issuing a URL containing unicode characters representing "../" directory 
traversal is possible. 

IRM used the following URL to obtain the Windows password file on the machine in question:

HTTP://<IP_address>/.%252e/.%252e/.%252e/winnt/repair/sam._ 

The server process appears to be running with sufficient privileges to read any file on the server (assuming the name 
and location of this file is known).


Tested Versions:
~~~~~~ ~~~~~~~~~
JWALK application server version 3.2C9 


Tested Operating Systems:
~~~~~~ ~~~~~~~~~ ~~~~~~~~
Microsoft Windows NT 4.0


Vendor & Patch Information:
~~~~~~ ~ ~~~~~ ~~~~~~~~~~~~
The vendor of this product, Seagull software, was contacted via email using the address "info-uk () seagull nl" on 28th 
November 2002. When no reply was received to this email, another email was sent on 7th January 2003 to the same 
address, and copied 
to "customercare () seagull nl" and "maintenance () seagull nl". The vendor telephoned IRM to confirm that it was 
indeed a security vulnerability and started work on a patch to resolve the issue. Subsequently, the vender explained 
that the fix would be available in the next service release of JWalk, 3.3c4, scheduled for delivery on Feb 10, 2003.


Workarounds:
~~~~~~~~~~~~
A workaround involves using different vendor's web server to serve the Jwalk application


Credits:
~~~~~~~~
Research & Advisory: Andy Davis 


Disclaimer:
~~~~~~~~~~~
All information in this advisory is provided on an 'as is'
basis in the hope that it will be useful. Information Risk Management
Plc is not responsible for any risks or occurrences caused
by the application of this information.

A copy of this advisory may be found at
http://www.irmplc.com/advisories

The PGP key used to sign IRM advisories can be obtained from the above
URL, or from keyserver.net and its mirrors.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Information Risk Management Plc. 
http://www.irmplc.com, info () irmplc com
22 Buckingham Gate 
London 
SW1E 6LB
+44 (0)207 808 6420

Attachment: signature.asc
Description: This is a digitally signed message part