SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   Xitami Web Server Vendors:   iMatix
Xitami Web Server Discloses Web Server Administrator Password to Local Users, Which Could Lead to Root Compromise
SecurityTracker Alert ID:  1002827
SecurityTracker URL:  http://securitytracker.com/id/1002827
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 27 2001
Impact:   Disclosure of authentication information, Execution of arbitrary code via local system, Root access via local system
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.4d9, 2.5b5 beta; and possibly earlier versions
Description:   Vapid Labs has reported a password disclosure vulnerability in the Xitami web server. A local user can obtain the web server administrator password.

It is reported that the web server administrator password is stored clear-text in a world-readable file (defaults.aut) on the system. A local user can obtain the password and then reconfigure the web server to view files and execute commands with the privileges of the web server, which is set to root by default.

The vendor has reportedly been notified, as indicated in the following message from the vendor's web site:

http://www.imatix.com/html/xitami/index13.htm#m_7

A demonstration exploit transcript is provided in the Source Message.

Impact:   A local user can obtain the web server administrator password. With administrative access to the web server, a local user can reconfigure the web server to view files and execute commands with the privileges of the web server, which is set to root by default. This could give the local user root-level operating system access on the server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.xitami.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Me), Windows (NT), Windows (95), Windows (98)

Message History:   None.


 Source Message Contents

Date:  Mon, 26 Nov 2001 15:06:46 -0500 (EST)
Subject:  [VulnWatch] Xitami Webserver stores admin password in clear text.


I am releasing this a bit early as the vendor has been aware of this issue
for a while now.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

				Vapid Labs
			     Larry W. Cashdollar
          Xitami Webserver clear text password storage vulnerability.


Date Published: 11/23/2001

Advisory ID: 11232001-02

Title: Xitami Admin Password vulnerability from imatrix.com.

Class: Design error

Remotely Exploitable: no

Locally Exploitable: yes

Vulnerability Description:

The webserver administrator password is stored clear-text in a world
readable file.  A local user can use the webserver admin password to gain
control of (by default) root owned xitami process.  The server can then be
reconfigured by the malicious user (locally unless configured to allow
remote administration) to read sensitive system files and execute commands
as root.

Vulnerable Packages/Systems: Xitami Webserver 2.4d9, 2.5b5 beta

I tested using the source packages suni24d9.tgz, suni25b5.tgz obtained
from xitami.com on a RedHat 6.2 i386 system.

Solution/Vendor Information/Workaround:

The vendor has been aware of this problem for a while, the time stamp
on my source file was June 2001.

http://www.imatix.com/html/xitami/index13.htm#m_7

Previous vulnerabilities:

http://www.securityfocus.com/bid/3511
http://www.securityfocus.com/bid/2622

Vendor notified on: 11/23/2001

Credits: Larry W. Cashdollar  Vapid Labs.
         http://vapid.dhs.org

Technical Description - Exploit/Concept Code:


During installation the administrator is asked to enter an account and
username password used to access the web administrator function.  By
default administration of the webserver is only allowed from localhost.
This information is stored in a file called default.aut

[lwcash@mathom xitami]$ ls -l defaults.aut
-rw-r--r--    1 root     root          107 Nov 23 10:56 defaults.aut


If the server is configured by default (just hitting enter when asked to
enable remote web administration) then a local user can use the admin
password stored in the above file to reconfigure the webserver and among
other things change the cgi-bin directory to /tmp/cgi-bin.  By default the
server runs as root and does not drop privledges.

I did the following:

[lwcash@mathom ~ $] echo "#!/bin/sh" > /tmp/cgi-bin/test.cgi
[lwcash@mathom ~ $] echo "chmod 666 /etc/passwd" >> /tmp/cgi-bin/test.cgi
[lwcash@mathom ~ $] chmod 555 /tmp/cgi-bin/test.cgi

The following URL will execute our cgi as root:
http://localhost/tmp/cgi-bin/test.cgi

If the server has been configured to allow remote administration, then the
above url can be accessed remotely.

Recommendations:

Configuration files that store sensitive information should have very
restrictive file permissions.  Passwords should never be stored in
clear-text, they should be stored at least as a one way hash.

I suspect by the wording used during installation, that many
administrators might enable remote web administration since it seems to
be almost suggested by the installation script.  You might want to change
the wording around to discourage it.

I suspect changing the permissions of default.aut to read only for root
would help a little, but did not test it.

Configure xitami to run as nobody.

DISCLAIMER:

The contents of this advisory are copyright (c) 2001 Larry W. Cashdollar
and may be distributed freely provided that no fee is charged for this
distribution and proper credit is given.





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8Ap7IOHpgAgvDwBURAiEEAKC9nx/90/SYRagxRmEOzX++21OS7gCglMIv
E32weSt0xkmFQcLbtF4Sqh0=
=mNbv
-----END PGP SIGNATURE-----



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC