Security Advisory

Last Alert Update: 2 Apr 2009

Descr. Proof of concept publishing

 

System tested

Sun Java System Identity Manager 7.1

System vulnerable

Sun Java System Identity Manager 7.0

Sun Java System Identity Manager 7.1

Sun Java System Identity Manager 7.1.1

Sun Java System Identity Manager 8.0

Vendor informed

1 Jul 2008

Vendor solution

23 Mar 2009

Description/impact

Information disclosure.

An unprivileged (local and remote) user may be able to determinate the existence of valid UserId

examining the error messages provided by Sun Java System Identity Manager.

Suppling an non-existing user the error message of Idm is:

     “Invalid Account ID”

Suppling instead an existing user and wrong password the error message of Idm is:

      ”Invalid Password”

Using the recovery facilities we can determinate the existence of user in-fact we receive the following error message for not existing user:

      ”The specified user was not found”

Exploit

Proof of concept for enumerations of users of Sun Java System Access Manager and Identity manager was developped for OWASP Testing Guide V3 .

Poc Download here

Impact

A security vulnerability in the Sun Java System Identity Manager allow an unprivileged user to determine the existence of UserID.

Vendor Solution

23 Mar 2009

The vendor has issued a patch

SUNSolve Alert: http://sunsolve.sun.com/search/document.do?assetkey=1-66-253267-1

Legal Notice:

This Advisory is Copyright (c) 2008-2009 Marco Mella.

You may distribute it unmodified.

You may not modify it and distribute it or distribute parts of it without the author's written permission.

You may not distribute it without referrer to this site and author / contact name

Contact marco.mella _at_ aboutsecurity _dot_ net