[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] [PEN-TEST] Cobalt Raq II - Unprotected Admin Pages (fwd)

Was anybody else aware of this?


---------- Forwarded message ----------
Date: Sun, 25 Mar 2001 17:16:01 -0600
From: H D Moore <hdm@xxxxxxxxxxxxxxxx>
Reply-To: Penetration Testers <PEN-TEST@xxxxxxxxxxxxxxxxx>
To: PEN-TEST@xxxxxxxxxxxxxxxxx
Subject: [PEN-TEST] Cobalt Raq II - Unprotected Admin Pages

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On the topic of RAQ's, I thought I would throw this one out.

On older RAQ installs (maybe new ones too, havent checked), you can access a
couple items in the administration interface without logging in:

Current system load: /cgi-bin/.cobalt/cpuUsage/loadavg.cgi
Legato Backup Server: /cgi-bin/.cobalt/networker/networker.cgi
Telnet Usage: /cgi-bin/.cobalt/telnetUsage/telnetUsage.cgi


The fun one here is the Legato Backup Server, you can go download the
evaluation version of Legato for Linux, change the server to your IP address,
and have the system backup its data to your machine ;)

- -HD

http://www.diigtaloffense.net/

On Sunday 25 March 2001 04:46 pm, Gossi The Dog wrote:
> >
> > If not, perhaps folks could post any that they have come across to this
> > list so a collection can be compiled.
>
> Well, a nice one to look out for on Cobalt RaQ's (which run a modified
> version of Redhat 6) is port 81 - the web administrator port, which runs
> Apache.  Oh, and apache is running as root so the CGI scripts run
> properly.  This is, of course, extremely dumb, and has been covered
> indepth on bugtraq.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBOr58MjwRvqMPEDLhEQJjLgCeK6zCZck52SJyYUAZJTsvirUvkIIAnRjz
6T2wg4ddAHvlaMh36vG9lmbi
=NCiM
-----END PGP SIGNATURE-----