Bugtraq mailing list archives
Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd server
From: Lluis Mora <llmora () S21SEC COM>
Date: Mon, 7 Aug 2000 20:01:11 +0200
################################################################ ID: S21SEC-004-en Title: Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd server Date: 07/08/2000 Status: Vendor contacted, Solved Scope: Remote command execution Platforms: Solaris 2.6, Solaris 8 Author: llmora Location: http://www.s21sec.com/en/avisos/s21sec-004-en.txt Release: Public ################################################################ S 2 1 S E C http://www.s21sec.com Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd server There are two security bugs in Sun Solaris AnswerBook2 package that allows a malicious user to access the administration of the AB2 , as well as running arbitrary commands on the remote host as the user the server runs as. About AnswerBook2 ----------------- Sun Solaris AnswerBook2 ships with a HTTP server (dwhttpd, DynaWeb's httpd) that allows users to access Solaris documentation using a web browser. By default the server listens on port 8888. Vulnerability description ------------------------- 1. Accessing the administration interface The server provides an administration interface that allows the administrator to manage document collections, view log files, etc. The administrative interface is not available till you manually add an administrator to the AnswerBook2 configuration. In order to use the functions of the administration interface (http://www.example.com:8888/ab2/@Ab2Admin?) you need to validate yourself against the web server. AB2 comes with a handful of cgi scripts, one of which provides a secondary way of getting to the administration interface (http://www.example.com:8888/cgi-bin/admin/admin). The CGI accepts some requests without requiring authentication, one of them allows the administrator to add a new user. It's possible for a user to create a new user by passing values to the CGI without being authenticated: http://www.example.com:8888/cgi-bin/admin/admin?command=add_user&uid=percebe &password=percebe&re_password=percebe" Sending a request to this URL will auto magically add a new user to the administration interface, allowing access to it by using the percebe/percebe authentication pair, where the attacker is able to read log files and manage its contents. 2. Remote execution of arbitrary commands There is a second bug in the dwhttpd server that allows an attacker to run arbitrary commands in the host where the AnswerBook server is running. One of the options you have while administering the AB2 is to rotate the access and error logs. The server allows you to specify the target file where the logs will be rotated to. You can use ../../../../../this/file to create and overwrite files outside the web server document root directory. Further investigation showed that the server performs the following command to rotate the server logs: sh -c "cp /var/log/ab2/logs/original_log /var/log/ab2/logs/USER_PROVIDED_TARGET" So an attacker could specify a destination log like "x ; uname -a" that will translate to: sh -c "cp /var/log/ab2/logs/original_log /var/log/abs/logs/x ; uname -a" Thus effectively running an arbitrary command in the remote server. Under Solaris (at least 2.6 and 8) the web server runs as user daemon (uid=1). Affected versions and platforms ------------------------------- These bugs have been verified to be present on the AnswerBook dwhttpd servers shipped with Solaris 2.6 x86 (dwhttpd v4.0) and Solaris 8 SPARC (dwhttpd v4.1), as well as the latest release v4.1.2 available from the vendor website. We strongly believe the bug is platform independent and can probably be found in previous releases. Fix information --------------- Sun has released the following a patch that solves both vulnerabilities, discussed in Sun's Security Bulletin #00196: 110011-02 (sparc) 110012-02 (x86) Users will still need to upgrade to AnswerBook2 v1.4.2 Upgrades are available from the vendor website at http://www.sun.com. Additional information ---------------------- This vulnerability was found and researched by: Lluis Mora llmora () s21sec com You can find the latest version of this advisory at: http://www.s21sec.com/en/avisos/s21sec-004-en.txt And other S21SEC advisories at http://www.s21sec.com/en/avisos/
Current thread:
- Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd server Lluis Mora (Aug 08)