[UNIX] Cherokee Webserver Directory Traversal and Elevated Privileges Vulnerabilities

From: support@securiteam.com
Date: 01/01/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue,  1 Jan 2002 13:44:23 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Cherokee Webserver Directory Traversal and Elevated Privileges
Vulnerabilities
------------------------------------------------------------------------

SUMMARY

 <http://aurora.esi.uem.es/~alo/?action=cherokee> Cherokee is an
extra-light web server. Two security vulnerabilities in the product have
been found - a directory traversal bug and a security problem where the
product incorrectly drops its elevated privileges.

DETAILS

The first problem is a simple directory traversal bug. No exploit code is
needed to demonstrate this; netcat and Internet Explorer seem to be
sufficient. By adding several instances of /../ to the end of a request,
one is able to traverse the entire filesystem.
 
Notice, this server brags to run in a "chroot" environment, but by this
test we see something is definitely wrong.
 
The second problem is that it does not drop privileges. The product needs
to start as root (in order to bind to TCP port 80) but "forgets" to drop
privileges. Without even doing a source code audit, Gobbles immediately
realized the potential and instantaneous remote root compromise here when
used with the first problem described above. An attacker who is familiar
with various password storage mechanisms on UNIX-based platforms will know
enough to go after files like /etc/passwd|shadow|master.passwd, and then
from there it is just a matter of using John the Ripper to become root.

ADDITIONAL INFORMATION

The information has been provided by <mailto:GOBBLES@hushmail.com>
GOBBLES Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages