ACROS Security: Session Fixation Vulnerability in WebLogic Administration Console (#2008-03-11-2)
=====[BEGIN-ACROS-REPORT]=====
PUBLIC
=========================================================================
ACROS Security Problem Report #2008-03-11-2
-------------------------------------------------------------------------
ASPR #2008-03-11-2: Session Fixation Vulnerability in WebLogic
Administration Console
=========================================================================
Document ID: ASPR #2008-03-11-2-PUB
Vendor: BEA Systems (http://www.bea.com)
Target: BEA WebLogic Server 10.0
Impact: There is a session fixation vulnerability [1] in Bea
WebLogic 10.0 Administration Console that allows the
attacker to assume administrator's identity and thus
gain administrative access to console.
Severity: High
Status: Official patch available, workarounds available
Discovered by: Mitja Kolsek of ACROS Security
Current version
http://www.acrossecurity.com/aspr/ASPR-2008-03-11-2-PUB.txt
Summary
=======
There is a session fixation vulnerability [1] in Bea WebLogic 10.0
Administration Console that allows the attacker to assume administrator's
identity and thus gain administrative access to console. The session
management used for setting up and maintaining administrative sessions
allows the attacker to fix the administrative session cookie(s) in
administrator's web browser and use this cookie to access the
administration console after the administrator has logged into it. The
vulnerability is exploitable even if the Administration Console is only
accessed/accessible via HTTPS and even if Administrative Port is enabled.
Product Coverage
================
- WebLogic Server 10.0
Notes: Our tests were only performed on the above product version. Other
versions may or may not be affected.
Analysis
========
During a recent security analysis of a WebLogic-based application for our
customer we took a quick look at the WebLogic Administration Console, and
found it to be vulnerable to a session fixation attack that also works
through the Administrative Port. This attack, however, is dependent on two
conditions:
1) The attacker must be (or obtain the identity of) a non-administrative
WebLogic user; and
2) The WebLogic administrator must login to the Administration Console
directly through the URL path /console/login/LoginForm.jsp (and not
through /console or /console/, which are much more likely).
If the attacker fixes authentication cookies on the administrator's
browser (see [1] for various ways to do that), she effectively "hands
over" her identity to the administrator. The administrator, having such
cookies fixed, logs in to the Administration Console and doesn't get any
new cookies from the Console. This means that his successful
authentication results in overwriting the state of the session identified
by the cookies such that this session becomes associated with the
administrator (and no longer with the attacker's non-administrative user).
The final result is that the administrator who has just logged in to the
Administration Console is using the exact same cookies as the attacker,
therefore the attacker automatically gains access to the administrator's
session - and obtains administrator's identity.
Solution
========
BEA Systems has issued a security bulletin [2] and published a patch which
fixes this issue.
Workaround
==========
WebLogic administrators can manually delete all cookies in their browsers
before logging in to the Administration Console.
References
==========
[1] ACROS Security, "Session Fixation Vulnerability in Web-based
Applications"
http://www.acrossecurity.com/papers/session_fixation.pdf
[2] BEA Systems Security Advisory BEA08-196.00
http://dev2dev.bea.com/pub/advisory/270
Acknowledgments
===============
We would like to acknowledge Gordon Engel and Neil Smithline of BEA
Systems for professional handling of the identified vulnerability.
Contact
=======
ACROS d.o.o.
Makedonska ulica 113
SI - 2000 Maribor
e-mail: security@xxxxxxxxxxxxxxxxx
web: http://www.acrossecurity.com
phone: +386 2 3000 280
fax: +386 2 3000 282
ACROS Security PGP Key
http://www.acrossecurity.com/pgpkey.asc
[Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]
ACROS Security Advisories
http://www.acrossecurity.com/advisories.htm
ACROS Security Papers
http://www.acrossecurity.com/papers.htm
ASPR Notification and Publishing Policy
http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm
Disclaimer
==========
The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
real host, company or individual. In no event should it be assumed that
use of these names means specific hosts, companies or individuals are
vulnerable to any attacks nor does it mean that they consent to being used
in any vulnerability tests. The use of information in this report is
entirely at user's risk.
Revision History
================
March 11, 2008: Initial release
Copyright
=========
(c) 2008 ACROS d.o.o. Forwarding and publishing of this document is
permitted providing the content between "[BEGIN-ACROS-REPORT]" and
"[END-ACROS-REPORT]" marks remains unchanged.
=====[END-ACROS-REPORT]=====