Vulnerabilities 2007 Banner
Tuesday 6 January 2009

PR08-09: Unauthenticated File Retrieval on Sun Java System Identity Manager "ext" parameter

Date Found: 25th April 2008

Vendor Contacted: 28th April 2008

Date Public: 10th November 2008

Severity: High

Credits: Richard Brain of ProCheckUp Ltd (www.procheckup.com).

ProCheckUp thanks Sun for working with us.

Description:

Sun Java System Identity Manager is vulnerable to unauthenticated file retrieval a.k.a. directory traversal within the "ext" parameter processed by the "/idm/includes/helpServer.jsp" server-side script.

Consequences:

Any files can be retrieved from the target server provided that the attacker knows its location on the filesystem. No authentication is required to exploit this vulnerability.

Proof of concept (PoC):

Due to the severity of this issue, ProCheckUp will keep the PoC private until all Sun Identity Manager customers are given enough time to update.

Successfully tested on:

Server environment:

Sun Java System Identity Manager 6.0 (20061212 SP 2)
Apache-Coyote/1.1
Apache Tomcat/5.0.28

Client environment:

Microsoft Internet Explorer 7.0.5730.11

Note: the version of Sun Java SIM can be obtained from the HTML source code of the user login page: "/idm/user/login.jsp". i.e.:

[snip]

<a onmouseover="return overlib('Open <b>Help</b><br>Version &nbsp;
Sun Java System Identity Manager 6.0 (20061212 SP 2)',
	FGCOLOR, '#F5F5DC',
	BGCOLOR, '#000000',
	DELAY, '750')" 
[snip]

Sun has confirmed the following products to be affected by this issue:

Sun Java System Identity Manager 6.0, Sun Java System Identity Manager 7.0, Sun Java System Identity Manager 7.1

References:

http://www.procheckup.com/Vulnerabilities
http://www.sun.com/software/products/identity_mgr/index.xml

Fix:

Apply the patches released by Sun. This vulnerability has been filed as Sun Bugzilla bug 18653.

http://sunsolve.sun.com/search/document.do?assetkey=1-26-243386-1

Legal:

Copyright 2008 ProCheckUp Ltd.

All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if the Bulletin is not changed or edited in any way, is attributed to ProCheckUp indicating this web page URL, and provided such reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited.

ProCheckUp is not liable for any misuse of this information by any third party. ProCheckUp is not responsible for the content of external Internet sites.
Case Study SC Magazine
Sample Report
Press Releases
 
  Site Map
Privacy Policy
Terms and Conditions
© ProCheckUp Ltd 2008