AOH :: HP Unsorted B :: BX2111.HTM

BEA WebLogic Server infinite invalid authentication attempts possible



S21SEC-040-en: Infinite invalid authentication attempts possible in BEA WebLogic Server
S21SEC-040-en: Infinite invalid authentication attempts possible in BEA WebLogic Server



##############################################################

                    - S21Sec Advisory -

##############################################################

   Title:   Infinite invalid authentication attempts possible in BEA
WebLogic Server
      ID:   S21SEC-040-en
Severity:   Medium
   Scope:   BEA Weblogic
Platforms:   All
Author: rpinuaga@s21sec.com 
URL: http://www.s21sec.com/avisos/s21sec-040-en.txt 
 Release:   Public



[ SUMMARY ]

It's possible to launch a credentials brute force attack against known
users through an internal servlet that permits the bypass of the user
locking mechanism.


[ AFFECTED VERSIONS ]

The vulnerability was confirmed on:
7.0sp6
8.1sp4
9.0sp2

Versions 6 and previous are not vulnerable.


[ DESCRIPTION ]

BEA WebLogic Server is the world leading application server software.

To avoid credential brute force attacks, Weblogic server have a locking
mechanism that lock the corresponding account after some invalid login
attempts.

The default lock shots if 5 invalid login attempts were made. The lock
remains 30 minutes.

S21SEC has found that exists an internal servlet that allow the guess of
valid credentials even if the attacked account is locked.

This allows infinite invalid authentication attempts against an account.
When the correct credentials are guessed, it's only needed to wait for the
account to unlock and then logon into the server.

The affected servlet is:

/wl_management_internal1/LogfileSearch (Version 7 & 8)
/bea_wls_diagnostics/accessor (Version 9)


[ WORKAROUND ]

BEA has released an advisory about this vulnerability. Updates and more
information are available at Bea website:

http://dev2dev.bea.com/pub/advisory/271 

[ ACKNOWLEDGMENTS ]

This vulnerability has been found and researched by:

Ramon Pinuaga Cascales 


[ REFERENCES ]

http://dev2dev.bea.com/pub/advisory/271 


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.