OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Larry W. Cashdollar (lwcvapid.dhs.org)
Date: Mon Nov 26 2001 - 14:06:46 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I am releasing this a bit early as the vendor has been aware of this issue
    for a while now.

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                                    Vapid Labs
                                 Larry W. Cashdollar
              Xitami Webserver clear text password storage vulnerability.

    Date Published: 11/23/2001

    Advisory ID: 11232001-02

    Title: Xitami Admin Password vulnerability from imatrix.com.

    Class: Design error

    Remotely Exploitable: no

    Locally Exploitable: yes

    Vulnerability Description:

    The webserver administrator password is stored clear-text in a world
    readable file. A local user can use the webserver admin password to gain
    control of (by default) root owned xitami process. The server can then be
    reconfigured by the malicious user (locally unless configured to allow
    remote administration) to read sensitive system files and execute commands
    as root.

    Vulnerable Packages/Systems: Xitami Webserver 2.4d9, 2.5b5 beta

    I tested using the source packages suni24d9.tgz, suni25b5.tgz obtained
    from xitami.com on a RedHat 6.2 i386 system.

    Solution/Vendor Information/Workaround:

    The vendor has been aware of this problem for a while, the time stamp
    on my source file was June 2001.

    http://www.imatix.com/html/xitami/index13.htm#m_7

    Previous vulnerabilities:

    http://www.securityfocus.com/bid/3511
    http://www.securityfocus.com/bid/2622

    Vendor notified on: 11/23/2001

    Credits: Larry W. Cashdollar Vapid Labs.
             http://vapid.dhs.org

    Technical Description - Exploit/Concept Code:

    During installation the administrator is asked to enter an account and
    username password used to access the web administrator function. By
    default administration of the webserver is only allowed from localhost.
    This information is stored in a file called default.aut

    [lwcashmathom xitami]$ ls -l defaults.aut
    -rw-r--r-- 1 root root 107 Nov 23 10:56 defaults.aut

    If the server is configured by default (just hitting enter when asked to
    enable remote web administration) then a local user can use the admin
    password stored in the above file to reconfigure the webserver and among
    other things change the cgi-bin directory to /tmp/cgi-bin. By default the
    server runs as root and does not drop privledges.

    I did the following:

    [lwcashmathom ~ $] echo "#!/bin/sh" > /tmp/cgi-bin/test.cgi
    [lwcashmathom ~ $] echo "chmod 666 /etc/passwd" >> /tmp/cgi-bin/test.cgi
    [lwcashmathom ~ $] chmod 555 /tmp/cgi-bin/test.cgi

    The following URL will execute our cgi as root:
    http://localhost/tmp/cgi-bin/test.cgi

    If the server has been configured to allow remote administration, then the
    above url can be accessed remotely.

    Recommendations:

    Configuration files that store sensitive information should have very
    restrictive file permissions. Passwords should never be stored in
    clear-text, they should be stored at least as a one way hash.

    I suspect by the wording used during installation, that many
    administrators might enable remote web administration since it seems to
    be almost suggested by the installation script. You might want to change
    the wording around to discourage it.

    I suspect changing the permissions of default.aut to read only for root
    would help a little, but did not test it.

    Configure xitami to run as nobody.

    DISCLAIMER:

    The contents of this advisory are copyright (c) 2001 Larry W. Cashdollar
    and may be distributed freely provided that no fee is charged for this
    distribution and proper credit is given.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (FreeBSD)
    Comment: For info see http://www.gnupg.org

    iD8DBQE8Ap7IOHpgAgvDwBURAiEEAKC9nx/90/SYRagxRmEOzX++21OS7gCglMIv
    E32weSt0xkmFQcLbtF4Sqh0=
    =mNbv
    -----END PGP SIGNATURE-----