PR08-09: Unauthenticated File Retrieval on Sun Java System Identity
Manager "ext" parameter

Date Found: 25th April 2008

Vendor Contacted: 28th April 2008

Date Public: 10th November 2008

Severity: High

Credits: Richard Brain of ProCheckUp Ltd (www.procheckup.com).

ProCheckUp thanks Sun for working with us.

Description:

Sun Java System Identity Manager is vulnerable to *unauthenticated* file
retrieval a.k.a. directory traversal within the "ext" parameter
processed by the "/idm/includes/helpServer.jsp" server-side script.


Consequences:

Any files can be retrieved from the target server provided that the
attacker knows its location on the filesystem. No authentication is
required to exploit this vulnerability.


Proof of concept (PoC):

_Due to the severity of this issue, ProCheckUp will keep the PoC private
until all Sun Identity Manager customers are given enough time to update._

Successfully tested on:

Server environment:

Windows Server 2003, Standard
Apache Tomcat/5.0.28
Sun Java System Identity Manager 6.0 (20061212 SP 2)

Note: the version of Sun Java SIM can be obtained from the HTML source
code of the user login page: "/idm/user/login.jsp"

i.e.:

[snip]

<a onmouseover="return overlib('Open <b>Help</b><br>Version &nbsp;Sun
Java System Identity Manager 6.0 (20061212 SP 2)',
	FGCOLOR, '#F5F5DC',
	BGCOLOR, '#000000',
	DELAY, '750')"
[snip]


References:

http://www.sun.com/software/products/identity_mgr/index.xml
http://www.procheckup.com/Vulnerabilities


Fix:

Apply the patches released by Sun. This vulnerability has been filed as
Sun Bugzilla bug 18653.

For more information please see
http://sunsolve.sun.com/search/document.do?assetkey=1-26-243386-1

Legal:

Copyright 2008 ProCheckUp Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if the Bulletin is not changed or edited in any way, is attributed
to ProCheckUp indicating this web page URL, and provided such
reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. ProCheckUp is not
liable for any misuse of this information by any third party. ProCheckUp
is not responsible for the content of external Internet sites.