Directory Traversal in Sun iPlanet Administration Server 5.1

From: Brewis, Mark (mark.brewis_at_eds.com)
Date: 08/08/03

  • Next message: G00db0y: "ZH2003-16SA (security advisory): C-Cart Shopping Cart Path Disclosure"
    To: bugtraq@securityfocus.com
    Date: Fri, 8 Aug 2003 13:33:24 +0100 
    
    

    Text of original posting to Sun:

    >>Originator: EDS Information Assurance Group - Jim Hardisty, Mark Brewis

    >>Date of Contact: 22nd April 2003

    >>Issue:During a recent Penetration Test, a member of the team, Jim
    Hardisty, identified an issue with an installation of >>iPlanet
    Administration Express. It is possible to escape the log viewer under
    iPlanet Administration Express, and
    >>since the application runs with root privilege, it is possible to access
    any file on the host server, including
    >>security critical files.

    >>Version: iPlanet Administration Server 5.1

    >>The following URL will return the last 5000 accesses to passwd:

    >>http://192.168.192.168:5000/admin-serv/tasks/configuration/ViewLog?file=pa
    sswd&num=5000
    &str=&directories=admin-serv%2Flogs%2f..%2f..%2f..%2f..%2f..%2f..%2fetc&id=a
    dmin-serv

    >>Once an escape has been made, the drop-down menu details all files under
    the called directory, e.g., /etc will lists
    >>shadow, hosts, hosts.allow, hosts.deny etc.

    >>We have identified users:

    >> 1) Failing to recognise the nature of the application, seeing it
    only as a web configuration app, and not
    >> appreciating that it runs setuid 0. As a result, they have
    been cavalier with password security, applying >> poor
    password controls, and have not applied ACLs to prevent unlimited internal
    access to the application.
           
    >> 2) Failing to apply a password to the application. During
    install, there must be a forced set password, and
    >> end-user must understand that this is a root level password
    they are setting.

    >> 3) Exposing the application to the Internet.

    >>Whether there are other escape sequences that will work is unknown.

    >>__________________

    >>We will abide by the RFP Disclosure Guidelines v2.0 -
    www.wiretrip.net/rfp/policy.html.

    >>Should credit be forthcoming coming, please acknowledge Jim Hardisty as
    the discoverer, me as second string.

    >>Mark Brewis
    >>Security Consultant
    >>Information Assurance Group
    >>EDS

    SOLUTION
    =========

    Sun have now informed me that the issue was addressed in:

    SunOne DS5.2 and in iDS5.1 SP2 Hotfix2

    Sun(tm) ONE Directory Server 5.2 Release Notes
    Version 5.2
    http://docs.sun.com/source/816-6703-10/index.html

    iPlanet Directory Server 5.1 Service Pack 2
    Release Notes
    Updated June 11, 2003
    http://docs.sun.com/db/doc/816-6403-10

    I am unable to find a reference for Hotfix 2, so if anyone can supply one
    I'd be grateful, or if anyone can find a reference to this issue in either
    of the above, I'd be even more grateful!

    Mark

    Mark Brewis

    Security Consultant
    EDS
    Information Assurance Group
    Wavendon Tower
    Milton Keynes
    Buckinghamshire
    MK17 8LX.

    Tel: +44 (0)1908 28 4234/4013
    Fax: +44 (0)1908 28 4393
    E@: mark.brewis@eds.com

    This email is confidential and intended solely for the use of the
    individual(s) to whom it is addressed. Any views or opinions presented are
    solely those of the author. If you are not the intended recipient, be
    advised that you have received this email in error and that any use,
    dissemination, forwarding, printing, or copying of this mail is strictly
    prohibited.

    Precautions have been taken to minimise the risk of transmitting software
    viruses, but you must carry out your own virus checks on any attachment to
    this message. No liability can be accepted for any loss or damage caused by
    software viruses.


  • Next message: G00db0y: "ZH2003-16SA (security advisory): C-Cart Shopping Cart Path Disclosure"

    Relevant Pages

    • iPlanet/Sun Java Web Server
      ... I am looking into iPlanet and found that www.sun.com has references to ... iPlanet, Sun One, and Sun Java Web Server. ... Java Web Server version 6.0.x. ...
      (comp.sys.sun.apps)
    • Re: Two domains on one server
      ... An LDAP directory, ... I rival to things like iPlanet, Sun ONE, etc. ... Paul Williams ...
      (microsoft.public.windows.server.active_directory)
    • Re: iPlanet/Sun Java Web Server
      ... > I am looking into iPlanet and found that www.sun.com has references to ... > iPlanet, Sun One, and Sun Java Web Server. ...
      (comp.sys.sun.apps)
    • Re: iPlanet where to find it HELP
      ... The former iPlanet had a suite of ... applications, so you'll need to know what actual application (or ... Are you actually talking about the Sun Java System Web Server? ...
      (comp.sys.sun.misc)