Sybase EAServer 6.3.1 Directory Traversal / XXE Injection / Command Execution

`SEC Consult Vulnerability Lab Security Advisory < 20130719-0 >  
=======================================================================  
title: Multiple vulnerabilities  
product: Sybase EAServer  
vulnerable version: <=6.3.1  
fixed version: vendor did not supply version information  
CVE number: -  
impact: critical  
homepage: www.sybase.com  
found: 10/2012  
by: Gerhard Wagner, Bernhard Mueller  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com  
=======================================================================  
  
Vendor description:  
-------------------  
Sybase EAServer fully supports all the Web services standards and enables  
enterprises to rapidly expose business functions as Web services. EAServer also  
provides a graphical interface to automate the publication and management of  
your company’s Web services. Today, EAServer supports EJB and Java/CORBA  
components, CICS integrator, and database stored procedures. These stored  
procedures can be from all Sybase’s databases including ASE, SQL Anywhere,  
and IQ; in addition, they will support IBM, Oracle, and Microsoft. EAServer can  
also support iAnywhere messaging services, enabling the developer to expose  
these components as Web services.  
  
  
Business recommendation:  
------------------------  
The default applications that are deployed by default during the installation  
of Sybase EAServer should be removed. Further, it is recommended to test the  
patches provided by Sybase.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Directory traversal  
In order to use a common web server such as IIS as a fronted and forward only  
certain requests to the Sybase EAServer it is a common practice to install and  
configure the EAServer redirector plug-in. An incoming request will be received  
by the web server, validated if it matches any context configured within the  
redirector plug-in and if so forwarded to the appropriate application context.  
So a request such as the following will be forwarded by the redirector plug-in  
in case the configuration contains such an application.  
  
https://example.com/myapp -> https://myEAServer/myapp  
  
If the request contains a path like "/\.." the redirector plug-in is not  
normalising the path as a part of the "myapp" application. Therefore, the  
request will be passed on to the Sybase EAServer where backslash as well as  
forward slash are valid directory separators and therefore using such a method  
it is possible to access all deployed applications.  
  
https://example.com/myapp/%5C../another_application  
  
  
2) XML entity injection  
Due to insufficient input validation it is possible to pass external entity  
definitions to the server-side XML processor for REST requests with an XML  
media type. By calling the built-in function testDataTypes() an attacker can  
list directories and display arbitrary files on the affected system, as long as  
the files don't conflict with the UTF-8 encoding.  
  
  
3) OS command execution  
The WSH service allows to run OS commands and it can only be accessed providing  
administrative credentials. Using the XXE vulnerability mentioned before it is  
potentially possible to retrieve the credentials from configuration files and  
run OS commands using the WSH service.  
  
  
  
Proof of concept:  
-----------------  
1) Directory traversal  
The following request allows to access the Sybase EAServer management  
application:  
  
https://example.com/myapp/%5C../console/Login.jsp  
  
Also the other applications that come by default with Sybase EAServer can be  
accessed using their respective context for example:  
  
/rest  
/wsh  
/wsf  
...  
  
  
  
2) XML entity injection  
The following XML message displays the contents of the drive C: on a Windows  
system:  
  
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [  
<!ELEMENT foo ANY >  
<!ENTITY xxe SYSTEM "file:///C:\">]>  
  
<lol>  
<dt>  
<stringValue>&xxe;</stringValue>  
<booleanValue>0</booleanValue>  
</dt>  
</lol>  
  
  
  
3) OS command execution  
Due to the potential impact the proof-of-concept has been removed.  
  
  
Vulnerable / tested versions:  
-----------------------------  
The issues have been tested in Sybase EAServer 6.3.1 on Windows.  
  
  
Vendor contact timeline:  
------------------------  
2013-03-11: Contact the vendor and provide vulnerability information  
2013-06-11: Vendor fixes the issues  
2013-06-28: Agreement on disclosure date 2013-07-19  
2013-07-19: Public disclosure  
  
  
Solution:  
---------  
According to the vendor customers can download the latest patches from  
http://www.sybase.com/downloads. The patches have not been tested by  
SEC Consult.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius  
  
Headquarter:  
Mooslackengasse 17, 1190 Vienna, Austria  
Phone: +43 1 8903043 0  
Fax: +43 1 8903043 15  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF G. Wagner / @2013  
  
  
`