[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Raq 550 Remote Exploits?
- Subject: Re: [cobalt-security] Raq 550 Remote Exploits?
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Tue, 27 Jan 2004 00:54:51 +0100
- Organization: SOLARSPEED.NET
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Skeeve,
> Anyone know of any SSH or remote exploit holes for the Raq550 and how I
> can go about protecting myself?
By now I've seen a couple of fully patched RaQ550s which got rooted due to a
combination of two unrelated security issues. None had to do with SSH,
though.
One problem is a (common) misconfiguration which can - in combination with
sloppy PHP programming in virtual sites - often be exploited to get local
(unprivileged) access with the rights of the webserver.
PHP's safe_mode is "Off" by default on the RaQ550. That can - and should - be
changed in php.ini if you're security minded. This problem is known since
long and is usually a bit underrated.
The other one is a local exploit against the C10 Kernel which grants a local
user root access. That's serious.
Those two separate and built in vulnerabilities can be exploited to gain root
access - provided the attacker finds a PHP script on the box which he can
trick into aiding him in his cause.
Sun was notified about these issues and provided with sample code for the
Kernel exploit. So expect a new RaQ550 kernel soon.
--
With best regards,
Michael Stauber