Sybase EAServer 6.3.1 - Multiple Vulnerabilities

SEC Consult Vulnerability Lab Security Advisory < 20130719-0 >
=======================================================================
              title: Multiple vulnerabilities
            product: Sybase EAServer
 vulnerable version: <=6.3.1
      fixed version: vendor did not supply version information
         CVE number: -
             impact: critical
           homepage: www.sybase.com
              found: 10/2012
                 by: Gerhard Wagner, Bernhard Mueller
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
Sybase EAServer fully supports all the Web services standards and enables
enterprises to rapidly expose business functions as Web services. EAServer also
provides a graphical interface to automate the publication and management of
your company’s Web services. Today, EAServer supports EJB and Java/CORBA
components, CICS integrator, and database stored procedures. These stored
procedures can be from all Sybase’s databases including ASE, SQL Anywhere,
and IQ; in addition, they will support IBM, Oracle, and Microsoft. EAServer can
also support iAnywhere messaging services, enabling the developer to expose
these components as Web services.


Business recommendation:
------------------------
The default applications that are deployed by default during the installation
of Sybase EAServer should be removed. Further, it is recommended to test the
patches provided by Sybase.


Vulnerability overview/description:
-----------------------------------
1) Directory traversal
In order to use a common web server such as IIS as a fronted and forward only
certain requests to the Sybase EAServer it is a common practice to install and
configure the EAServer redirector plug-in. An incoming request will be received
by the web server, validated if it matches any context configured within the
redirector plug-in and if so forwarded to the appropriate application context.
So a request such as the following will be forwarded by the redirector plug-in
in case the configuration contains such an application.

https://example.com/myapp -> https://myEAServer/myapp

If the request contains a path like "/\.." the redirector plug-in is not
normalising the path as a part of the "myapp" application. Therefore, the
request will be passed on to the Sybase EAServer where backslash as well as
forward slash are valid directory separators and therefore using such a method
it is possible to access all deployed applications.

https://example.com/myapp/%5C../another_application


2) XML entity injection
Due to insufficient input validation it is possible to pass external entity
definitions to the server-side XML processor for REST requests with an XML
media type. By calling the built-in function testDataTypes() an attacker can
list directories and display arbitrary files on the affected system, as long as
the files don't conflict with the UTF-8 encoding.


3) OS command execution
The WSH service allows to run OS commands and it can only be accessed providing
administrative credentials. Using the XXE vulnerability mentioned before it is
potentially possible to retrieve the credentials from configuration files and
run OS commands using the WSH service.



Proof of concept:
-----------------
1) Directory traversal
The following request allows to access the Sybase EAServer management
application:

https://example.com/myapp/%5C../console/Login.jsp

Also the other applications that come by default with Sybase EAServer can be
accessed using their respective context for example:

/rest
/wsh
/wsf
...



2) XML entity injection
The following XML message displays the contents of the drive C: on a Windows
system:

<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///C:\">]>

<lol>
<dt>
<stringValue>&xxe;</stringValue>
<booleanValue>0</booleanValue>
</dt>
</lol>



3) OS command execution
Due to the potential impact the proof-of-concept has been removed.


Vulnerable / tested versions:
-----------------------------
The issues have been tested in Sybase EAServer 6.3.1 on Windows.


Vendor contact timeline:
------------------------
2013-03-11: Contact the vendor and provide vulnerability information
2013-06-11: Vendor fixes the issues
2013-06-28: Agreement on disclosure date 2013-07-19
2013-07-19: Public disclosure


Solution:
---------
According to the vendor customers can download the latest patches from
http://www.sybase.com/downloads. The patches have not been tested by
SEC Consult.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF G. Wagner / @2013