[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Bug-Travel
- Subject: Re: [cobalt-security] Bug-Travel
- From: Bruce Timberlake <bruce@xxxxxxxxxx>
- Date: Mon, 20 Jan 2003 23:38:41 -0800
- Organization: BRTNet.org
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> 2. It appears to use components of the "RaQFuCk.sh" script by core
> http://www.securiteam.com/exploits/5MP0R0A80K.html, which attempts
> a symlink attack using cron through the exploitation of an suid
> /usr/lib/authenticate on the Cobalt Raq.
According to the docs in that script, it says a quick fix is to chmod
755 /usr/lib/authenticate. When I checked my up-to-date RaQ 4, it
shows that permission level is already set.
Also it seems to state that it only works on Apache 1.3.20C3 and
before. The newest Apache is 1.3.20C4stackguard.
> Near as I can tell, they were able to remotely exploit OpenSSL
> and establish a remote shell, at which point RaQFuCk.sh was
> executed, providing full open access to the system. I haven't been
> able to gain access through any exploit code that I can find. The
> attack could have come either through Apache or OpenSSH, but I have
> no direct proof, so this is all conjecture.
I dug up the openssl-scanner and openssl-too-open code
(http://www.netalarms.com/special/archive-03) and compiled them.
> I have put RPMS for OpenSSL 0.9.7 on our FTP server at:
> ftp://ftp.nacs.net/pub/software/cobalt_raq4
> openssl-0.9.7-1.i386.rpm
> openssl-0.9.7-1.src.rpm
> openssl-devel-0.9.7-1.i386.rpm
> openssl-doc-0.9.7-1.i386.rpm
I installed these. I then had to make a new symlink for
libcrypto.so.2 to the new 0.9.7 version for the openssl-scanner to
work:
cd /usr/lib
ln -s libcrypto.so.0.9.7 libcrypto.so.2
Also, when I restart Apache after installing the OpenSSL RPMS, it
still shows "...OpenSSL/0.9.6b..." in the signature string. I don't
know if this is dynamic or compiled in someplace...
Anyway, when I ran both scanners, it said that the server didn't
appear to be vulnerable. Unfortunately, I didn't find the scanners
until after putting in OpenSSL 0.9.7, so I don't know if servers
without that are susceptible or not... :(
- --
Bruce Timberlake
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+LPkCvLA2hUZ9kgwRAtPMAJ9GucG5nirAhVeLfwDrQZNVPN+HZwCfaJiX
tp30t2zYSJYpVaGQo1Nc8bQ=
=aHFI
-----END PGP SIGNATURE-----