WebLogic Client Certificate Buffer Overflow

May 7, 2009

Oracle WebLogic Server is a multi-tier Java Application Server platform. In a two and three-tier application architecture, a web server is used to receive forms or HTTP requests, then pass them to application servers, which perform actual processing. A connector software refers to the component used by web server to communicate with the application server. Oracle WebLogic Server ships with a connector, named mod_wl, for Apache HTTP server.

The Apache web server can receive HTTP requests over SSL. During the establishment of a SSL connection the server always sends its certificate to the client, while the client may optionally send its certificate as a method of authentication. When certificates are verified, the connection will proceed and an encrypted channel will be created.

A stack-based overflow vulnerability exists in WebLogic Server's connector software for Apache HTTP server. Specifically, the vulnerability is due to improper validation of client certificates. When a client certificate is received, it is exported to the plug-in as a PEM-encoded certificate. The WebLogic connector software then copies the contents of the PEM-encoded certificate, stripping all CR/LF characters, to a stack-based buffer. It has been observed that the vulnerable code does not verify the length of the certificate before copying it to the buffer.

A remote unauthenticated attacker could exploit this vulnerability by supplying a specially crafted certificate to trigger a stack-based buffer overflow. Successful exploitation would result in code injection and execution with the privileges of the affected service. Code injection that does not result in execution will terminate the affected process due to a memory corruption.

SonicWALL has released an IPS signature that will detect and prevent attacks targeting this vulnerability. The signature to address this vulnerability is:

  • 1442 WEB-ATTACKS SSL/TLS Overly Long Client Certificate Attempt