SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   NetUP UTM Vendors:   NetUP Systems
NetUP UTM Input Validation Flaws Permit Remote Session Hijacking and Subsequent Command Execution
SecurityTracker Alert ID:  1007786
SecurityTracker URL:  http://securitytracker.com/id/1007786
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 23 2003
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Exploit Included:  Yes  
Version(s): 3.0, 4.0
Description:   Several security vulnerabilities were reported in the NetUP UTM ISP billing system. A remote user can inject SQL commands to hijack administrator sessions and then execute arbitrary shell commands. A local user with certain privileges can obtain root privileges.

It is reported that a remote user can submit a specially crafted HTTP GET request to inject SQL commands to be executed by the underlying database. The report indicates that the 'admin' and 'utm_stat' scripts do not properly validate the user-supplied 'sid' parameter. A remote user can take actions on the system without supplying valid authentication credentials and can hijack existing sessions (including administrator sessions). Some demonstration exploit URLs are provided:

https://somehost/cgi-bin/utm/admin?cmd=full_view&sid=q%22%20OR%201=1%20OR%20%22q%22=%22q
https://somehost/cgi-bin/utm/utm_stat?cmd=user_report&sid=q%22%20OR%201=1%20OR%20%22q%22=%22q

It is also reported that the '/cgi-bin/utm/user_stat' script does not escape user-supplied query parameters. A remtoe authenticated user can inject SQL commands to modify their account details, including billing data.

Other SQL injection flaws reportedly reside in the software.

It is also reported that a remote authenticated administrator (or a remote user that has hijacked an administrator session) can execute arbitrary shell commands on the target system.

If firewall rule setup is enabled (it is not, by default), an administrator can append a semicolon and arbitrary shell commands to a firewall rule, causing the shell commands to be executed with the privileges of the web server process. If firewall rule setup is not enabled (the default configuration), the administrator can still execute shell commands using a more complicated exploit method. The administrator can inject SQL commands via the '/cgi-bin/utm/admin' script to modify the 'dict' table, which can then override the 'netup/utm/utm.cfg' configuration file's sudo_path value. When sudo is next executed, the overwritten sudo_path will be invoked and the administrator's arbitrary shell commands will be executed with the privileges of the web server process.

It is also reported that a local user with web server privileges (e.g., 'nobody') can obtain root privileges. The system reportedly includes a sudo entry that permits the user to move files with root privileges:

nobody ALL= NOPASSWD: /bin/mv

Impact:   A remote user can hijack an administrator's session. With administrator access, the remote user can execute arbitrary shell commands on the target system with the privileges of the web server process. With web server uid shell access on the target system, the remote user can then gain root privileges on the system.
Solution:   No solution was available at the time of this entry.

The author of the report has provided several workarounds, described in the Source Message.

Vendor URL:  www.netup.biz/ (Links to External Site)
Cause:   Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (FreeBSD), Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  Multiple Security Issues in Netup UTM


Name               : Multiple Security Issues in Netup UTM
Software Package   : Netup UserTraffManager
Vendor Homepage    : http://www.netup.biz, http://www.netup.ru
Vulnerable Versions: 3.0, 4.0
Platforms          : Linux, FreeBSD
Vulnerability Type : SQL injections, remote shell command execution

Introduction
-------
  As it is postulated on vendor's website www.netup.biz: "NetUP UserTraffManager
  is a universal ISP billing system for Internet Service Providers of any size,
  from small offices to global companies".

  Actually, UTM is a traffic accounting suite, which consist of 
  1) scripts for collecting traffic statistics from different devices, and
     storing them in MySQL database.
  2) web interface for administrators and end-users.

-------
Issue 1: Session hijacking using SQL injection

  Web interface of UTM consist of 3 executables: aaa, admin and utm_stat. aaa
handles authentication of user or administrator, and generates unique session
id. After that admin or utm_stat identifies user by session id, which is
passed as a parameter sid in HTTP GET string.
  It appears that session data is stored in MySQL, and sid parameter is checked
with simple SELECT, and special characters in parameter sid are not escaped,
so sessions can be easily hijacked with queries altering where-clause,
for example sid='q" OR 1=1 OR "q"="q'. This will give an access to first
currently open session. The resulting query will be:

https://somehost/cgi-bin/utm/admin?cmd=full_view&sid=q%22%20OR%201=1%20OR%20%22q%22=%22q
https://somehost/cgi-bin/utm/utm_stat?cmd=user_report&sid=q%22%20OR%201=1%20OR%20%22q%22=%22q

The attacker can switch between sessions altering the SQL query, for example:
sid=q" OR 1=1 AND uid!=10 OR "q"="q
Once the attacker has found needed session he can stick to it, adding uid=X 
(where X is users ID) to the query.

If no sessions are currently active a message "Access denied" is displayed,
however nothing is written to UTM_logs table.

Once the administrator's session is hijacked, attacker can do anything that
this administrator can: alter users' settings, add users, erase logs, steal
UTM registration key and else...

-------
Issue 2: Altering user's parameters using SQL injection

  All user's information is stored in a single SQL row. Users can change their
password and language via web interface given by /cgi-bin/utm/user_stat.
Data from HTTP query passes to SQL UPDATE query not escaped. So, using SQL
injection user can alter all his parameters, and amount of money on his
account as well.
  Logged in user can alter his information, and in case of session hi-jacking,
attacker can alter session owner's info.
  For example, setting lang to 'ru", bill=10000, lang="ru', will put 10000
rubles on user's money bill. And the example query will be:

https://somehost/cgi-bin/utm/utm_stat?cmd=change_lang&lang=ru%22,%20bill=10000,%20lang=%22ru&sid=XXXXX

(where XXXXX is valid sid, or an SQL injection described in issue 1).

-------

  Really all UTM's code suffers from SQL injections. Two most bad where already
described above. So I will skip others, and will go on describing worse bugs.

-------
Issue 3: Executing shell commands

  UTM allows its administrators to setup firewall rules. Administrator enters
the parameters for ipchains (in case if Linux) or ipfw (FreeBSD) into
webform, and they are stored in MySQL, and executed with help of sudo. A
malicious administrator can add semicolon and any shell commands to the
firewall rule, and this commands will be executed with uid of httpd process
owner.
  However, altering firewall rules is disabled in UTM by default. In this case
an attacker can use more complicated way to execute commands:
  The problem is that UTM configuration options from /netup/utm/utm.cfg are
exported to global variables after parsing. This happens on each startup of
aaa, admin or utm_stat. After this, dictionary data for corresponding language
is selected from table dict. This data is also exported to global variables.
Column "variable" becomes variable name, and column "value" its value. So, if
one has access to table dict, he can override configuration options from
/netup/utm/utm.cfg. Overriding option sudo_path allows an attacker to
execute shell commands on server running UTM.
  Web interface /cgi-bin/utm/admin allows only to change column value of table
dict. But, further examination shows that admin?cmd=dict_change, is subject
to SQL injection similar to utm_stat?cmd=change_lang, described above.
Passing parameter like

value506='touch /tmp/hacked; /usr/local/bin/sudo", variable="sudo_path'

to admin?cmd=dict_change will rewrite global variable sudo_path, and
'touch /tmp/hacked' will be executed with next call to sudo. The HTTP query
itself is very big, because all rows in table dict are changed with one
query (stupid!), so the query won't be shown here.

-------
Issue 4: Gaining root access

  Once an attacker can execute shell commands with uid of httpd process
owner (usually nobody), in most cases he can gain a root shell. The problem
is that in all boxes running UTM sudoers file contains a line:

nobody  ALL= NOPASSWD: /bin/mv

So moving from httpd uid to uid 0 is quite easy.

(I don't really know reason for this, but it is even suggested to do it
on vendor's website http://www.netup.ru/?fid=31)

-------
Known workarounds:

1. Change database_login in utm.cfg to non-root value (default root).
2. Remove "nobody  ALL= NOPASSWD: /bin/mv" from sudoers.
3. Disallow changing dictionary and adding firewall rules for all
   administrators. Set tables actions and dict read-only for
   UTM mysql account.
4. Deny access to /cgi-bin/utm from outer networks via .htaccess.
5. Deny access to /cgi-bin/utm/admin.pl from any hosts except of
   administrators' ones via .htaccess.
6. Deny POST method in .htaccess. Track access_log for SQL injections.

-- 
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC