Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd server

From: Lluis Mora <llmora () S21SEC COM>
Date: Mon, 7 Aug 2000 20:01:11 +0200
################################################################
ID: S21SEC-004-en
Title: Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd server
Date: 07/08/2000
Status: Vendor contacted, Solved
Scope: Remote command execution
Platforms: Solaris 2.6, Solaris 8
Author: llmora
Location: http://www.s21sec.com/en/avisos/s21sec-004-en.txt
Release: Public
################################################################


                                S 2 1 S E C

                         http://www.s21sec.com

        Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd server


There are two security bugs in Sun Solaris AnswerBook2 package that allows
a malicious user to access the administration of the AB2 , as well as
running arbitrary commands on the remote host as the user the server runs
as.

About AnswerBook2
-----------------

Sun Solaris AnswerBook2 ships with a HTTP server (dwhttpd, DynaWeb's httpd)
that
allows users to access Solaris documentation using a web browser.

By default the server listens on port 8888.

Vulnerability description
-------------------------

1. Accessing the administration interface

The server provides an administration interface that allows the
administrator to manage document collections, view log files, etc.

The administrative interface is not available till you manually add an
administrator to the AnswerBook2 configuration. In order to use the
functions of the administration interface
(http://www.example.com:8888/ab2/@Ab2Admin?)
you need to validate yourself against the web server.

AB2 comes with a handful of cgi scripts, one of which provides a secondary
way of getting to the administration interface
(http://www.example.com:8888/cgi-bin/admin/admin).

The CGI accepts some requests without requiring authentication, one of them
allows the administrator to add a new user. It's possible for a user to
create a new user by passing values to the CGI without being authenticated:

http://www.example.com:8888/cgi-bin/admin/admin?command=add_user&uid=percebe
&password=percebe&re_password=percebe"

Sending a request to this URL will auto magically add a new user to the
administration interface, allowing access to it by using the percebe/percebe
authentication pair, where the attacker is able to read log files and manage
its contents.

2. Remote execution of arbitrary commands

There is a second bug in the dwhttpd server that allows an attacker to
run arbitrary commands in the host where the AnswerBook server is running.

One of the options you have while administering the AB2 is to rotate the
access and error logs. The server allows you to specify the target file
where the logs will be rotated to. You can use ../../../../../this/file to
create and overwrite files outside the web server document root directory.
Further investigation showed that the server performs the following command
to rotate the server logs:

  sh -c "cp /var/log/ab2/logs/original_log
/var/log/ab2/logs/USER_PROVIDED_TARGET"

So an attacker could specify a destination log like "x ; uname -a" that will
translate to:

  sh -c "cp /var/log/ab2/logs/original_log /var/log/abs/logs/x ; uname -a"

Thus effectively running an arbitrary command in the remote server.

Under Solaris (at least 2.6 and 8) the web server runs as user daemon
(uid=1).

Affected versions and platforms
-------------------------------

These bugs have been verified to be present on the AnswerBook dwhttpd
servers shipped with
Solaris 2.6 x86 (dwhttpd v4.0) and Solaris 8 SPARC (dwhttpd v4.1), as well
as the latest
release v4.1.2 available from the vendor website. We strongly believe the
bug is platform
independent and can probably be found in previous releases.

Fix information
---------------

Sun has released the following a patch that solves both vulnerabilities,
discussed in Sun's Security Bulletin #00196:

        110011-02 (sparc)
        110012-02 (x86)

Users will still need to upgrade to AnswerBook2 v1.4.2

Upgrades are available from the vendor website at http://www.sun.com.


Additional information
----------------------

This vulnerability was found and researched by:

 Lluis Mora             llmora () s21sec com

You can find the latest version of this advisory at:

        http://www.s21sec.com/en/avisos/s21sec-004-en.txt

And other S21SEC advisories at http://www.s21sec.com/en/avisos/
Previous By Date Next
Previous By Thread Next

Current thread: