Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RNN Guestbook Authentication Flaw in 'gbadmin.cgi' Yields Administrative Access to Remote Users
|
|
SecurityTracker Alert ID: 1008322
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 27 2003
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of authentication information, Modification of user information, User access via network
|
Exploit Included: Yes
|
Version(s): 1.2
|
Description: Several vulnerabilities were reported in RNN Guestbook. A remote user can gain administrative access on the application and execute arbitrary commands on the target system.
BrainRawt reported that a remote user can bypass authentication requirements and directly access administrative functions via the
'gbadmin.cgi' script. Some demonstration exploit URLs are provided:
gbadmin.cgi?action=change_adminpass (to change the administrative
password)
gbadmin.cgi?action=delete_guests (to delete all guestbook posts)
gbadmin.cgi?action=setup (to modify guestbook
setup information)
gbadmin.cgi?action=colors (to change the guestbook colors)
gbadmin.cgi?action=change_automail (to change
emailing information)
It is also reported that a remote authenticated user (or a user that has exploited the administrative access
authentication flaw) can invoke the 'gbadmin.cgi' script to read arbitrary files with the privileges of the web server process.
This can be done by using the 'gbadmin.cgi?action=setup' URL and changing the 'guestbook entry file' to a file path. Then, the
remote user can use 'guestbook.cgi' to view the contents of the specified file.
It is also reported that a remote authenticated
user (or a user that has exploited the administrative access authentication flaw) can change the guestbook entry file path to insert
commands to be executed by the guestbook application (e.g., "/path/file;<cmd> <args>|"). A demonstration exploit example is provided:
/etc/passwd;touch
/tmp/hacked|
It is also reported that various fields are not properly filtered by guestbook.cgi to remove HTML code. A remote
user can conduct cross-site scripting attacks.
It is also reported that the software stores the administrative password in plain
text in the 'gbpass.pl' file. A local user can view the password.
The vendor was reportedly notified on October 11, 2003.
|
Impact: A remote user can gain administrative access on the application. With administrative access, the remote user can execute arbitrary operating system commands or view files with the privileges of the web server daemon.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.cbvfd.com/rnn/scripts/guestbook.htm (Links to External Site)
|
Cause: Access control error, Authentication error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "BrainRawt" <brainrawt@haxworx.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 26 Nov 2003 20:08:26 -0500
From: "BrainRawt" <brainrawt@haxworx.com>
Subject: RNN's Guestbook 1.2 Multiple Vulnerabilities
|
RNN's Guestbook 1.2 Multiple Vulnerabilies Discovered by
Chris Rahm (aka: BrainRawt) (brainrawt at haxworx.com)
Vulnerabilities: Remote Command Execution
Administrative Access
Information Disclosure (Reading of Files)
Arbitrary HTML Insertion/Script Injection
Plain Text Administrative Password
Remote: Yes
Local: Yes
Risk: High
Vulnerable: Guestbook 1.2
About Guestbook
---------------
Guestbook is an easily customizable CGI script that allows
visitors to post messages for others to read.
Guestbook 1.2 can be downloaded at the following address.
http://www.cbvfd.com/rnn/scripts/guestbook.htm
Vendor Contact
--------------
10-11-03 - Sent an email to webmaster at cbvfd.com
"ATT: Mike Reed (author)"
(No Reply)
10-12-03 - Sent an email to Mike Reed at mike at cbvfd.com
(No Reply)
10-16-03 - Sent another email to mike at cbvfd.com
(No Reply)
10-19-03 - Sent email to (Mike's other email)
zmlr15 at imail.etsu.edu.
(Failed Recipient)
10-20-03 - Posted a msg on the cbvfd.com msgboard.
(No Response Yet)
10-20-03 - Called Mike via phone.
(No Answer)
10-25-03 - Sent an email to another one of Mike's addresses.
reed2323 at cbvfd.com
10-26-03 - Recieved an email from Mike and replied with a
a copy of this advisory.
11-26-03 - No word from author since he had received a copy
of this advisory. Releasing information to bugtraq.
Administrative Access Vulnerabilities
-------------------------------------
If an attacker was to visit ~/gbadmin.cgi, he/she would be
prompted for a password. But if that same attacker was to
go directly to the QUERY_STRING and fill in the values for
"action", he/she could have total control over the guestbook
without the need of any authentication.
EXAMPLES:
1. ~/gbadmin.cgi?action=change_adminpass - Change password
2. ~/gbadmin.cgi?action=delete_guests - Delete ALL posts on the guestbook.
3. ~/gbadmin.cgi?action=setup - Change setup information for guestbook.
4. ~/gbadmin.cgi?action=colors - Modify the look and feel of the guestbook
5. ~/gbadmin.cgi?action=change_automail - Change emailing information
Information Disclosure Vulnerability (Reading of Files)
-------------------------------------------------------
By taking advantage of the Administrative Access Vulnerabilites, an
attacker could visit ~/gbadmin.cgi?action=setup and change the
"guestbook entry file" path to point towards any file (EX: /etc/passwd)
on the system readable by the account inwhich the httpd is running.
After making this change, the attacker would view guestbook.cgi not
to read POSTs, but to read the contents of the file above.
Remote Command Execution
------------------------
Also by taking advantage of the Administrative Access Vulnerability,
instead of an attacker changing the guestbook entry file path to
something such as /etc/password to read that files contents, an
attacker can insert /path/file;<cmd> <args>| resulting in the
execution of the cmd at the end of /path/file.
EXAMPLE: /etc/passwd;touch /tmp/hacked|
Arbitrary HTML Insertion / Script Injection Vulnerabilities
-----------------------------------------------------------
Due to improper filtering, all the scalars below allow the insertion
of HTML tags, making guestbook.cgi vulnerable to script injection.
Even though the gbadmin.cgi offers the option to not allow HTML tags
in the $comment field, HTML tags are still accepted.
sub process_input {
# process variables
$name = "$in{'name'}";
$email = "$in{'email'}";
$refer = "$in{'refer'}";
$msn = "$in{'msn'}";
$aol = "$in{'aol'}";
$guest_site = "$in{'guest_site'}";
$comment = "$in{'comment'}";
$ip = "$in{'ip'}";
&validate_input;
Plain Text Administrative Password
----------------------------------
The administrative password can be found in the gbpass.pl file
also found in the same directory as the rest of the guestbook.
Combine the permissions recommended by the author in "readme.txt"
and the plain text password, any "local" users can view the plain
text password found in gbpass.pl.
------------------------------------------------------
|
|
Go to the Top of This SecurityTracker Archive Page
|
