[UNIX] Xitami Admin Password Vulnerability
From: support@securiteam.comDate: 11/29/01
- Previous message: support@securiteam.com: "[NEWS] NetDynamics Session ID is Reusable"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [UNIX] Xitami Admin Password Vulnerability Message-Id: <20011129060258.C5079138BF@mail.der-keiler.de> Date: Thu, 29 Nov 2001 07:02:58 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Xitami Admin Password Vulnerability
------------------------------------------------------------------------
SUMMARY
Xitami keeps the webserver administrator password in clear-text within a
world readable file. Any local user can use the webserver admin password
to gain control of root owned xitami processes.
The server can then be reconfigured (locally unless configured to allow
remote administration) to read sensitive system files and execute commands
as root.
DETAILS
Vulnerable systems:
Xitami Webserver 2.4d9
Xitami Webserver 2.5b5 beta
Solution:
It seems the vendor has been aware of this problem for a while - the time
stamp on my source file was June 2001.
<http://www.imatix.com/html/xitami/index13.htm#m_7>
http://www.imatix.com/html/xitami/index13.htm#m_7
Technical description:
During installation, the administrator is asked to enter an account and
username password used to access the web administrator function. By
default, administration of the webserver is only allowed from localhost.
This information is stored in a file called default.aut.
[lwcash@mathom xitami]$ ls -l defaults.aut
-rw-r--r-- 1 root root 107 Nov 23 10:56 defaults.aut
If the server is configured by default (just hitting enter when asked to
enable remote web administration) then a local user can use the admin
password stored in the above file to reconfigure the webserver and among
other things change the cgi-bin directory to /tmp/cgi-bin. By default, the
server runs as root and does not drop privileges.
So doing the following:
[lwcash@mathom ~ $] echo "#!/bin/sh" > /tmp/cgi-bin/test.cgi
[lwcash@mathom ~ $] echo "chmod 666 /etc/passwd" >> /tmp/cgi-bin/test.cgi
[lwcash@mathom ~ $] chmod 555 /tmp/cgi-bin/test.cgi
The following URL will execute our cgi as root:
http://localhost/tmp/cgi-bin/test.cgi
If the server has been configured to allow remote administration, then the
above URL can be accessed remotely.
Recommendations:
Configuration files that store sensitive information should have very
restrictive file permissions. Passwords should never be stored in
clear-text, they should be stored at least as a one way hash.
ADDITIONAL INFORMATION
The information has been provided by <mailto:lwc@vapid.dhs.org> Larry W.
Cashdollar.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] NetDynamics Session ID is Reusable"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
