@stake Advisory: SiteMinder Access Control Bypass (A0911 00-1)

2000-09-12T00:00:00
ID SECURITYVULNS:DOC:673
Type securityvulns
Reporter Securityvulns
Modified 2000-09-12T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

                           @stake Inc.
                        www.atstake.com

                       Security Advisory

Advisory Name: SiteMinder Access Control Bypass (A091100-1) Release Date: 09/11/2000 Application: Netegrity SiteMinder 3.6, 4.0 Platform: Solaris 2.x, Windows NT Severity: Access control mechanism can be bypassed Authors: David Litchfield (dlitchfield@atstake.com) Mark Litchfield (mlitchfield@atstake.com) Contributors: Frank Swiderski (fes@atstake.com) Vendor Status: Vendor has released a patch Web: www.atstake.com/research/advisories/2000/a091100-1.txt

Overview:

Netegrity's SiteMinder (http://www.netegrity.com/products/siteminder.html) is a web access control product for Solaris and Windows NT that implements various authentication mechanisms to protect content on websites. It features native integration with industry-standard LDAP, NDS, and NT directory services as well as SQL databases.

SiteMinder supports more fine-grained access control than is normally provided by web servers. For example, user access can be restricted to the level of buttons or form fields whereas web servers generally restrict access at the page level.

Due to an error in SiteMinder's URL parsing, it is possible for an attacker to bypass the authentication phase and view protected web pages directly.

Detailed Description:

SiteMinder's authentication mechanism can be bypassed by using a properly crafted URL. For example, assume the following web page is protected:

http://www.mysite.com/cgi-bin/secrets.html

Normally, if someone were to try accessing this page, SiteMinder would intercept the request and prompt for a username and password before allowing the user to execute the script and view the results. However, the user can make a small modification to the URL to avoid the authentication phase:

http://www.mysite.com/cgi-bin/secrets.html/$/foo.ccc

When using a URL crafted in this manner, SiteMinder appears to ignore its access control policy and simply allows the requested page to be served to the attacker with no further prompting.

This vulnerability can be used not only to view static web pages, but also to execute CGI applications and to view server-side source code. Again, all of these actions can be performed without ever being prompted for authorization. Example URLs are as follows:

To execute a CGI application:

http://www.mysite.com/cgi-bin/restricted.cgi$/foo.ccc?subject=blah

To view the source code for that CGI application:

http://www.mysite.com/cgi-bin/restricted.cgi/$/foo.ccc

To execute a servlet:

http://www.mysite.com/applets/restricted/$/foo.ccc?query=blah

In the example URL, the non-existent file "foo.ccc" is used after the "$/" delimiter; however, any filename can be used here provided it has an extension of .ccc, .class, or .jpg (and possibly others that have not yet been discovered).

Vendor Response (received via email from Netegrity):

Netegrity identified and fixed this issue earlier this year. The issue does not exist in the currently shipping SiteMinder 4.11 product, which has already been distributed to all customers on maintenance. Customers using previous versions of SiteMinder have been notified of the issue and alerted that they can download the patch from the customer support section of the Netegrity web site. Customers can also call customer service at 800-325-9870 with any questions or concerns.

Recommendations:

First install the vendor patch. The patch does not fix the protection of URLs that do not have a file extensions which is commonly the case for CGI programs and servlets. An example is the following:

http://www.mysite.com/applets/restricted

In this case add a file extension so that the patch will work.

http://www.mysite.com/applets/restricted.applet

For more advisories: http://www.atstake.com/research/index.html PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2000 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8

iQA/AwUBObzUJFESXwDtLdMhEQIN7ACcDOTd1yzs9Tj+QNeylT3zHY3clnMAoJ83 wjBdhSk2Qbq6/6klpyOKClN5 =I27D -----END PGP SIGNATURE-----