OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: ppp-design (securityppp-design.de)
Date: Sun Apr 28 2002 - 06:29:59 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ppp-design found the following authentication bypass vulnerability in
    dnstools:

    Details
    - -------
    Product: dnstools
    Affected Version: 2.0 beta 4 and maybe all versions before
    Immune Version: 2.0 beta 5
    OS affected: Linux only
    Vendor-URL: http://www.dnstools.com
    Vendor-Status: informed, new version avaiable
    Security-Risk: very high
    Remote-Exploit: Yes

    Introduction
    - ------------
    DNSTools is a comercial solution for dns configuration ($0 for
    personal use up to $800 for ISPs). This is what the vendor tells about
    dnstools: "DNSTools is a DNS configuration and DNS administration
    utility that eases the burden of network and system administrators by
    presenting all of their DNS data in an easy-to-use web interface and
    allowing them to modify that data quickly and easily. With a few
    simple clicks, you can modify a host name, add a new mail record, add
    a new DNS name server, delete an entire domain or add an alias or
    second IP address to an existing host. These are just a few examples
    of what DNSTools provides." Unfortunately the security concept is
    broken by design and can be easily bypassed.

    More details
    - ------------
    The software uses two variables to save the users authentication
    status (normal user / administration). Unfortunately these variables
    are not initialized, so you can easily spoof your status.

    Proof-of-concept
    - ----------------
    Just add "user_logged_in=true" and if you want to have administration
    privileges "user_dnstools_administrator=YES" to any url (just be sure
     you are not logged in, otherwise your submitted variable will be
    overwritten with the real value).

    Examples:
    http://www.example.com/dnstools.php?section=hosts&user_logged_in=true
    http://www.example.com/dnstools.php?section=security&user_logged_in=true
    &user_dnstools_administrator=YES

    Temporary-Fix
    - -------------
    Initialize both variables with false at the beginning of dnstools.php

    Fix
    - ---
    Use at least version 2.0 beta 5.

    Security-Risk
    - -------------
    A blackhat can easily manipulate DNS entries remotly without being
    authorized in any way. This often is the first step of a hacking
    scenario. Therefore we are rating the security risk to very high.

    Vendor status
    - -------------
    The author reacted very fast and recommendable to our note. He needed
    about 48 hours for a new version which fixes the vulnerability.

    Disclaimer
    - ----------
    All information that can be found in this advisory is believed to be
    true, but maybe it is not. ppp-design can not be held responsible for
    the use or missuse of this information. Redistribution of this text is
    only permitted if the text has not been altered and the original
    author ppp-design (http://www.ppp-design.de) is mentioned.

    This advisory can be found online:
    http://www.ppp-design.de/advisories.php

    - --
    ppp-design
    http://www.ppp-design.de
    Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc
    Fingerprint: 5B02 0AD7 A176 3A4F CE22 745D 0D78 7B60 B3B5 451A
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: Weitere Infos: siehe http://www.gnupg.org

    iD8DBQE8y903DXh7YLO1RRoRAs4VAJ9HNyVi3Fz7U1eU9tk2efcrlZfcnACdEWCx
    rnGV/vCQNPwo1fRFsynOy1w=
    =ZPXl
    -----END PGP SIGNATURE-----