WebLogic Client Certificate Buffer Overflow (May 7, 2009)
Oracle WebLogic Server is a multi-tier Java Application Server platform. In a two and three-tier application architecture, a web server is used to receive forms or HTTP requests, then pass them to application servers, which perform actual processing. A connector software refers to the component used by web server to communicate with the application server. Oracle WebLogic Server ships with a connector, named mod_wl, for Apache HTTP server.
The Apache web server can receive HTTP requests over SSL. During the establishment of a SSL connection the server always sends its certificate to the client, while the client may optionally send its certificate as a method of authentication. When certificates are verified, the connection will proceed and an encrypted channel will be created. A stack-based overflow vulnerability exists in WebLogic Server’s connector software for Apache HTTP server. Specifically, the vulnerability is due to improper validation of client certificates. When a client certificate is received, it is exported to the plug-in as a PEM-encoded certificate. The WebLogic connector software then copies the contents of the PEM-encoded certificate, stripping all CR/LF characters, to a stack-based buffer. It has been observed that the vulnerable code does not verify the length of the certificate before copying it to the buffer. A remote unauthenticated attacker could exploit this vulnerability by supplying a specially crafted certificate to trigger a stack-based buffer overflow. Successful exploitation would result in code injection and execution with the privileges of the affected service. Code injection that does not result in execution will terminate the affected process due to a memory corruption. SonicWALL has released an IPS signature that will detect and prevent attacks targeting this vulnerability. The signature to address this vulnerability is:- 1442 WEB-ATTACKS SSL/TLS Overly Long Client Certificate Attempt
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
