RE: KPMG-2002003: Bea Weblogic DOS-device Denial of Service

Larry Isaacs Tue, 08 Jan 2002 21:51:17 -0800

Thanks for the list. I had forgotten PRN and would have never thought of CLOCK$.
 
I think using "FileInputStream.available() > 0" has a good chance of handling the user 
defined
devices.  I don't see doing any more for that unlikely case.  Thanks for being 
thorough though.
 
Larry


-----Original Message----- 
From: Jim Seach [mailto:[EMAIL PROTECTED]] 
Sent: Tue 1/8/2002 11:24 PM 
To: Tomcat Developers List 
Cc: 
Subject: RE: KPMG-2002003: Bea Weblogic DOS-device Denial of Service



I found this at: 
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/fsys_7qwj.asp 
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/fsys_7qwj.asp>
  

The following reserved words cannot be used as the name of a file: CON, 
PRN, AUX, CLOCK$, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, 
COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9. Also, 
reserved words followed by an extension—for example, NUL.tx7—are 
invalid file names. 


And unfortunately, I also found this: 

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/filesio_697p.asp
 
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/filesio_697p.asp>
  

Platform SDK: File Storage 

DefineDosDevice 
The DefineDosDevice function defines, redefines, or deletes MS-DOS 
device names. 

BOOL DefineDosDevice( 
  DWORD dwFlags,         // options 
  LPCTSTR lpDeviceName,  // device name 
  LPCTSTR lpTargetPath   // path string 
); 

It looks like you can create your own device names, so just keeping a 
list of the standard ones won't work in all cases. 

Hope this helps, 

Jim Seach 

--- Larry Isaacs <[EMAIL PROTECTED]> wrote: 
> I was too optimistic after testing only with Win98.  I get the same 
> problem with Win2k. 
>  
> As you have probably already discovered, FileUtil.savePath() blocks 
> the attempt to read 
> aux.jsp.  So getting past the version file safely should be 
> sufficient.  Updating the mangler 
> looks like it would work, though the fix is only as good as our list 
> of DOS devices. 
> I'm aware of: 
>  
> CON 
> NUL 
> COM1-COM9 
> LPT1-LPT9 
> AUX 
>  
> Do you know of any others? 
>  
> Larry 
> 
> -----Original Message----- 
> From: Bill Barker [mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] 
> Sent: Tue 1/8/2002 7:43 PM 
> To: Tomcat Developers List 
> Cc: 
> Subject: Re: KPMG-2002003: Bea Weblogic DOS-device Denial of Service 
> 
> 
> 
> 1.3.0_01 returns true for isFile on my Win-NT box. 
> 
> I've attached the program I've been running (so as to avoid having to 
> load 
> all of Tomcat. 
> ----- Original Message ----- 
> From: "Larry Isaacs" <[EMAIL PROTECTED]> 
> To: "Tomcat Developers List" <[EMAIL PROTECTED]> 
> Sent: Tuesday, January 08, 2002 4:01 PM 
> Subject: RE: KPMG-2002003: Bea Weblogic DOS-device Denial of Service 
> 
> 
> I find that isFile() returns false, at least for JDK 1.3.1 and 
> JDK1.2.2. 
> I tried JDK1.1.8, but Tomcat 3.3.x wouldn't come up.  I get: 
> 
> java.lang.ClassNotFoundException: 
> org.apache.tomcat.startup.EmbededTomcat 
>         at org.apache.tomcat.util.compat.SimpleClassLoader.loadClass 
> 
> My preference would be to build a solution on isFile() if it can be 
> worked 
> out. 
> I still need to investigate where the test might best be applied. 
> 
> Larry 
> 
> -----Original Message----- 
> From: Bill Barker [mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>  
> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > ] 
> Sent: Tue 1/8/2002 3:39 PM 
> To: Tomcat Developers List 
> Cc: 
> Subject: Re: KPMG-2002003: Bea Weblogic DOS-device Denial of Service 
> 
> This may be too kludgy, but my quick test shows that "aux.ver" 
> returns -11644473600000 for lastModified. 
> 
> Less kludgy would be to simply add a complete list of DOS devices to 
> the 
> "keywords" that are mangled. 
> 
> ----- Original Message ----- 
> From: "Larry Isaacs" <[EMAIL PROTECTED] 
> < <mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]> > > > 
> To: "'Tomcat Developers List'" 
> 
> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]?> > > > 
> Sent: Tuesday, January 08, 2002 12:06 PM 
> Subject: RE: KPMG-2002003: Bea Weblogic DOS-device Denial of Service 
> 
> This also causes Tomcat 3.3 to hang a thread when it 
> tries to read aux.ver.  Tomcat 3.2.4 doesn't appear 
> to have a problem and reports a "not found" error. 
> A quick test of Tomcat 4.0.1 returned a blank page 
> without hanging. 
> I'll investigate and prepare, if possible, a quick 
> patch to Tomat 3.3 and make a proposal for a 
> Tomcat 3.3.1 beta and release. 
> Thanks for relaying this. 
> Cheers, 
> Larry 
> > -----Original Message----- 
> > From: Jon Scott Stevens [mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>  
> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > ] 
> > Sent: Tuesday, January 08, 2002 2:36 PM 
> > To: tomcat-dev 
> > Subject: FW: KPMG-2002003: Bea Weblogic DOS-device Denial of 
> Service 
> > 
> > 
> > I'm curious how Tomcat deals with this issue. 
> > 
> > Oh yea. Yet another reason why JSP sucks. :-) 
> > 
> > -jon 
> > 
> > ------ Forwarded Message 
> > From: Peter GrÃ¼ndl <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > 
> > Date: Tue, 8 Jan 2002 16:33:26 +0100 
> > To: <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > 
> > Subject: KPMG-2002003: Bea Weblogic DOS-device Denial of Service 
> > 
> > 
> -------------------------------------------------------------------- 
> > 
> >            -=>Bea Weblogic DOS-device Denial of Service<=- 
> >                       courtesy of KMPG Denmark 
> > 
> > BUG-ID: 2002003          Released: 8th Jan 2002 
> > 
> -------------------------------------------------------------------- 
> > Problem: 
> > ======== 
> > A flaw in the way the Bea Weblogic server handles specific requests 
> 
> > containing DOS-devices can cause a Denial of Service situation, 
> > where web requests are no longer being serviced. 
> > 
> > Vulnerable: 
> > =========== 
> > - Bea Weblogic Server 6.1 Service Pack 1 for Windows NT/2000 
> > - Older releases and other pure java application servers could be 
> >   vulnerable, but haven't been tested. 
> > 
> > Details: 
> > ======== 
> > When the Weblogic server receives a .jsp request, it invokes an 
> > external compiler to deal with the .jsp ressource requested. The 
> > server can be fooled into thinking you are requesting a valid .jsp 
> > ressource by simply requesting a DOS-device (such as eg. aux) and 
> > appending the .jsp extension to it (aux.jsp). The external compiler 
> 
> > is then invoked and due to the nature of the DOS-devices, this 
> > working thread never finishes. 
> > 
> > The server can handle about a 10-11 working threads, so when this 
> > number of active threads has been reached, the server will no 
> > longer service any requests. Since both HTTP and HTTPS are handled 
> > by the same module, both are crippled if one is attacked. 
> > 
> > Vendor URL: 
> > =========== 
> > You can visit the vendors webpage here: http://www.beasys.com 
><http://www.beasys.com>  
> <http://www.beasys.com <http://www.beasys.com> >  
> < <http://www.beasys.com http://www.beasys.com> > > > 
> To: "'Tomcat Developers List'" <[EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED] 
> <> > 
> > 
> > Vendor response: 
> > ================ 
> > The vendor was contacted on the 6th of November, 2001. On the 15th 
> > of November the vendor confirms that they have reproduced the issue
>
> > on Windows 2000 and Windows NT. The issue is assigned the bug id: 
> > CR062542 by the vendor. On the 3rd of January, 2002 the vendor 
> > confirmed the release of the new service pack and that it included 
> > the patch for this issue. 
> > 
> > Corrective action: 
> > ================== 
> > Upgrade to Service Pack 2, which can be downloaded here: 
> > http://commerce.beasys.com <http://commerce.beasys.com 
><http://commerce.beasys.com> > 
> < <http://commerce.beasys.com http://commerce.beasys.com> > > 
> > 
> > 
> >    Author: Peter GrÃ¼ndl ([EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]?> > > ) 
> > 
> > 
> -------------------------------------------------------------------- 
> > KPMG is not responsible for the misuse of the information we 
> provide 
> > through our security advisories. These advisories are a service to 
> > the professional security community. In no event shall KPMG be lia- 
> 
> > ble for any consequences whatsoever arising out of or in connection 
> 
> > with the use or spread of this information. 
> > 
> -------------------------------------------------------------------- 
> > 
> > ------ End of Forwarded Message 
> > 
> > 
> > -- 
> > To unsubscribe, e-mail: 
> <mailto:[EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED] 
><mailto:[EMAIL PROTECTED]> > > > 
> For additional commands, e-mail: 
> <mailto:[EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED] 
><mailto:[EMAIL PROTECTED]> > > > 
> -- 
> To unsubscribe, e-mail:  
> <mailto:[EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED] 
><mailto:[EMAIL PROTECTED]> > > > 
> For additional commands, e-mail: 
> <mailto:[EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED] 
><mailto:[EMAIL PROTECTED]> > > > 
> 
> 
> -- 
> To unsubscribe, e-mail:  
> <mailto:[EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED] 
><mailto:[EMAIL PROTECTED]> > > > 
> For additional commands, e-mail: 
> <mailto:[EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED] 
><mailto:[EMAIL PROTECTED]> > > > 
> 
> 
> 
> 
> 
---------------------------------------------------------------------------- 
> 
> ---- 
> 
> 
> > -- 
> > To unsubscribe, e-mail: 
> <mailto:[EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED] 
><mailto:[EMAIL PROTECTED]> > > 
> > For additional commands, e-mail: 
> <mailto:[EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED] 
><mailto:[EMAIL PROTECTED]> > > 
> 
> 

> ATTACHMENT part 2 application/ms-tnef 
> -- 
> To unsubscribe, e-mail:  
> <mailto:[EMAIL PROTECTED] 
><mailto:[EMAIL PROTECTED]> > 
> For additional commands, e-mail: 
<mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 
> 


__________________________________________________ 
Do You Yahoo!? 
Send FREE video emails in Yahoo! Mail! 
http://promo.yahoo.com/videomail/ <http://promo.yahoo.com/videomail/>  

-- 
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]> > 
For additional commands, e-mail: <mailto:[EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]> >

msg19982/bin00000.bin
Description: application/ms-tnef

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: KPMG-2002003: Bea Weblogic DOS-device Denial of Service

Reply via email to