Company

Technical Security Consulting

Managing Risk

Research & Development

Forensics

Security Management

Media Centre

PCI DSS

• Home
• Overview
• R&D Services
• Technology Focus
• Messaging Systems Security
• Embedded Systems Security
• Collaborative Research Projects
• Technical Whitepapers
• Research Briefings
• Publicly Released Tools
• Vendor Alerts - 0days
• Security Advisories
• Advisories
• Advisory 028
• Advisory 027
• Advisory 026
• Advisory 025
• Advisory 024
• Advisory 023
• Advisory 022
• Advisory 021
• Advisory 020
• Advisory 019
• Advisory 018
• Advisory 017
• Advisory 016
• Advisory 015
• Advisory 014
• Advisory 013
• Advisory 012
• Advisory 011
• Advisory 010
• Advisory 009
• Advisory 008
• Advisory 007
• Advisory 006
• Advisory 005
• Advisory 004
• Advisory 003
• Advisory 002
• Advisory 001

Advisory 005

JWALK application server version 3.2C9 Directory Traversal Vulnerability
Vulnerablity Type / Importance: Information Leakage / High

Problem discovered: November 28th 2002
Vendor contacted: November 28th 2002
Advisory published: March 20th 2003

Abstract:
"JWalk is a complete development and deployment solution that includes point-and-click developer's tools, specialized server software and self-updating thin client viewer software." - quote from Seagull software product documentation.

The Java-based product is supplied with a proprietary web server, and by using a browser it is possible to alter the URL to permit the contents of any file on the system to be viewed even those situated outside the web root. Using this method it is possible to view important configuration files including the "sam._" file which contains the Windows password database.

Description:
Recently during a penetration test IRM identified a serious security vulnerability with the Jwalk application web server version 3.2C9. It appears that by issuing a URL containing unicode characters representing "../" directory traversal is possible. 

IRM used the following URL to obtain the Windows password file on the machine in question:

HTTP://<IP_address>/.%252e/.%252e/.%252e/winnt/repair/sam._

The server process appears to be running with sufficient privileges to read any file on the server (assuming the name and location of this file is known).

Tested Versions:
JWALK application server version 3.2C9 

Tested Operating Systems:
Microsoft Windows NT 4.0

Vendor & Patch Information:
The vendor of this product, Seagull software, was contacted via email using the address "info-uk@seagull.nl" on 28th November 2002. When no reply was received to this email, another email was sent on 7th January 2003 to the same address, and copied 
to "customercare@seagull.nl" and "maintenance@seagull.nl". The vendor telephoned IRM to confirm that it was indeed a security vulnerability and started work on a patch to resolve the issue. Subsequently, the vender explained that the fix would be available in the next service release of JWalk, 3.3c4, scheduled for delivery on Feb 10, 2003.

Workarounds:
A workaround involves using different vendor's web server to serve the Jwalk application

Credits:
Research & Advisory: A Davis

Disclaimer:
All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information.