Vulnerabilities > CVE-2010-0386 - Configuration vulnerability in SUN Java System Application Server 7.0

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
sun
CWE-16
nessus

Summary

The default configuration of Sun Java System Application Server 7 and 7 2004Q2 enables the HTTP TRACE method, which makes it easier for remote attackers to steal cookies and authentication credentials via a cross-site tracing (XST) attack, a related issue to CVE-2004-2763 and CVE-2005-3398. Per: http://sunsolve.sun.com/search/document.do?assetkey=1-66-200942-1 Contributing Factors This issue can occur in the following releases: * Sun Java System Application Server Standard Edition 7 and later updates * Sun Java System Application Server Standard Edition 7 2004Q2 and later updates * Sun Java System Application Server Platform Edition 7 and later updates

Vulnerable Configurations

Part Description Count
Application
Sun
3

Common Weakness Enumeration (CWE)

Nessus

NASL familyWeb Servers
NASL idXST_HTTP_TRACE.NASL
descriptionThe remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections.
last seen2020-04-30
modified2003-01-23
plugin id11213
published2003-01-23
reporterThis script is Copyright (C) 2003-2020 E-Soft Inc.
sourcehttps://www.tenable.com/plugins/nessus/11213
titleHTTP TRACE / TRACK Methods Allowed
code
#
# This script was written by Thomas Reinke <[email protected]>
# Improvements re TRACK and RFP reference courtesy of <[email protected]>
# Improvements by rd - http_get() to get full HTTP/1.1 support,
# security_warning() instead of security_hole(), slight re-phrasing
# of the description
#
# See the Nessus Scripts License for details
#

# Changes by Tenable:
#   - added solution in the plugin output for JSAS9 (3/29/13)
#   - added CVE xref.
#   - title update (9/18/09)
#   - updated CVSS score (12/14/2015)
#   - Added note when TRACE/TRACK is enabled but reply is empty, added CVSSv3 score. (26/11/2018)

include("compat.inc");

if (description)
{
 script_id(11213);
 script_version("1.73");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

 script_cve_id("CVE-2003-1567", "CVE-2004-2320", "CVE-2010-0386");
 script_bugtraq_id(9506, 9561, 11604, 33374, 37995);
 script_xref(name:"CERT", value:"288308");
 script_xref(name:"CERT", value:"867593");

 script_name(english:"HTTP TRACE / TRACK Methods Allowed");
 script_summary(english:"Test for TRACE / TRACK Methods.");

 script_set_attribute(attribute:"synopsis", value:
"Debugging functions are enabled on the remote web server.");
 script_set_attribute(attribute:"description", value:
"The remote web server supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods that are used to debug web server
connections.");
 script_set_attribute(attribute:"see_also", value:"https://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf");
 script_set_attribute(attribute:"see_also", value:"http://www.apacheweek.com/issues/03-01-24");
 script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1000718.1.html");
 script_set_attribute(attribute:"solution", value:
"Disable these HTTP methods. Refer to the plugin output for more information.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
 script_set_attribute(attribute:"cvss_score_source", value:"CVE-2004-2320");
 script_set_attribute(attribute:"cvss_score_rationale", value:"Tenable believes the XST vulnerability only affects Confidentiality, not Integrity (reflected in NVD's score for CVE-2010-0386)");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(16, 200);

 script_set_attribute(attribute:"vuln_publication_date", value:"2003/01/20");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/01/23");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2003-2020 E-Soft Inc.");
 script_family(english:"Web Servers");

 script_dependencies("http_version.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}

sol["apache"] = "
To disable these methods, add the following lines for each virtual
host in your configuration file :

    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.
";

sol["iis"] = "
Use the URLScan tool to deny HTTP TRACE requests or to permit only the
methods needed to meet site requirements and policy.
";

sol["SunONE"] = '
To disable this method, add the following to the default object
section in obj.conf :

    <Client method="TRACE">
     AuthTrans fn="set-variable"
     remove-headers="transfer-encoding"
     set-headers="content-length: -1"
     error="501"
    </Client>

If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile
the NSAPI plugin located at :

http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
';

sol["Sun_JSAS7"] = '
To disable this method, add the following to the top of the default
object in <server-instance>-obj.conf :

  <Client method="TRACE">
  AuthTrans fn="set-variable" remove-headers="transfer-encoding"
  set-headers="content-length: -1" error="501"
           </Client>

and restart the Application server.
';

# this fix also works for JSAS 8 (tested against 8.2) even though it's undocumented for that version.
# unfortunately version 8 doesn't explicitly report its version in the server header
sol["Sun_JSAS9"] = '
To disable this method, edit domain.xml, adding the "traceEnabled"
property (set to "false") to the end of the http-service element :

        <property name="traceEnabled" value="false"/>
      </http-service>

and restart the application server.  Refer to the JSAS 9 Administrator
Reference for more information :

http://docs.oracle.com/cd/E19501-01/819-3661/auto126/index.html
';

#
# The script code starts here
#

include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");

note = "";

port = get_http_port(default:80, embedded:TRUE);

if (! get_port_state(port)) exit(0, 'Port ' + port + ' is not open.');

banner = get_http_banner(port:port);
if ( ! banner ) exit(1, 'Unable to get the web server banner on port ' + port + '.');

if ( egrep(pattern:"^Server:.*IIS", string:banner) ) report = sol["iis"];
else if ( egrep(pattern:"^Server:.*Apache", string:banner) ) report = sol["apache"];
else if ( egrep(pattern:"^Server.*SunONE", string:banner) ) report = sol["SunONE"];
else if ( egrep(pattern:"^Server.*Sun-Java-System-Application-Server/7", string:banner) ) report = sol["Sun_JSAS7"];
else if ( egrep(pattern:"^Server.*Sun Java System Application Server (Platform Edition )?9", string:banner) ) report = sol["Sun_JSAS9"];

file = "/Nessus"+rand() + ".html";	# Does not exist

    cmd1 = http_get(item: file, port:port);
    cmd2 = cmd1;
    
    cmd1 = ereg_replace(pattern:"GET /", string:cmd1, replace:"TRACE /");
    cmd2 = ereg_replace(pattern:"GET /", string:cmd2, replace:"TRACK /");

    ua = egrep(pattern:"^User-Agent", string:cmd1, icase:TRUE);
 
    reply = http_keepalive_send_recv(port:port, data:cmd1, bodyonly:FALSE);
    if ( reply == NULL ) exit(0, 'The host is not affected on port ' + port + '.');
    if ( ereg(pattern:"^HTTP/.* 200 ", string:reply) )
    {
     r = strstr(reply, '\r\n\r\n');
     if (! r ) r = strstr(reply, '\n\n');
     full_reply = reply;
     reply = r;
     if(egrep(pattern:"^TRACE "+file+" HTTP/1\.", string:reply))
     {
	if ( ua && tolower(ua) >!< tolower(reply) ) exit(0, 'The host is not affected on port ' + port + '.');
        report += string(
          '\n',
          "Nessus sent the following TRACE request : \n",
          "\n",
          crap(data:"-", length:30), " snip ", crap(data:"-", length:30), "\n",
          str_replace(find:'\r\n', replace:'\n', string:cmd1),
          crap(data:"-", length:30), " snip ", crap(data:"-", length:30), "\n",
          "\n",
          "and received the following response from the remote server :\n",
          "\n",
          crap(data:"-", length:30), " snip ", crap(data:"-", length:30), "\n",
          str_replace(find:'\r\n', replace:'\n', string:full_reply),
          crap(data:"-", length:30), " snip ", crap(data:"-", length:30), "\n"
        );
	security_warning(port:port, extra:report);
	set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
	exit(0);
     }
     else
     {
       note += '\n\nAlthough TRACE is enabled on the remote web server, the server\n' +
               'replies with an empty response, which prevents XST (cross-site\n' +
               'tracing).';
     }
    }

    reply = http_keepalive_send_recv(port:port, data:cmd2, bodyonly:FALSE);
    if ( ereg(pattern:"^HTTP/.* 200 ", string:reply) )
    {
     r = strstr(reply, '\r\n\r\n');
     if (! r ) r = strstr(reply, '\n\n');
     full_reply = reply;
     reply = r;
     if(egrep(pattern:"^TRACK "+file+" HTTP/1\.", string:reply))
     {
       if ( ua && tolower(ua) >!< tolower(reply) ) exit(0, 'The host is not affected on port ' + port + '.');

       report += string(
         '\n',
         "Nessus sent the following TRACK request : \n",
         "\n",
         crap(data:"-", length:30), " snip ", crap(data:"-", length:30), "\n",
         str_replace(find:'\r\n', replace:'\n', string:cmd2),
         crap(data:"-", length:30), " snip ", crap(data:"-", length:30), "\n",
         "\n",
         "and received the following response from the remote server :\n",
         "\n",
         crap(data:"-", length:30), " snip ", crap(data:"-", length:30), "\n",
         str_replace(find:'\r\n', replace:'\n', string:full_reply),
         crap(data:"-", length:30), " snip ", crap(data:"-", length:30), "\n"
       );
       security_warning(port:port, extra:report);
       set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
     }
     else
     {
       note += '\n\nAlthough TRACK is enabled on the remote web server, the server\n' +
               'replies with an empty response, which prevents XST (cross-site\n' +
               'tracing).';
     }
   }
exit(0, 'The host is not affected on port ' + port + '.' + note);