lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 3 Apr 2009 00:44:36 +1100
From: Patrick Webster <patrick@...hack.com>
To: bugtraq@...urityfocus.com
Subject: ContentKeeper - Remote command execution and privilege escalation

aushack.com - Vulnerability Advisory
-----------------------------------------------
Release Date:
 03-Apr-2009

Software:
 ContentKeeper Technologies - ContentKeeper Web
 http://www.contentkeeper.com/

 "ContentKeeper is an industry leading Internet content filter that allows
 organisations to monitor, manage, control & secure staff access to
 Internet resources."

Versions affected:
 ContentKeeper 125.09 and below.

Vulnerability discovered:

 Remote command execution and privilege escalation vulnerabilities.

Vulnerability impact:

 High - Unauthenticated users with access to the management IP address
 	of the device may execute commands remotely as the apache user.
	Furthermore, a privilege escalation vulnerability is present allowing
	for unauthenticated remote root compromise.

Vulnerability information

 The appliance is administered by use of a web browser HTML based front
 end. The .htaccess file prohibits unauthenticated access to known
HTML management
 pages, however other binaries, such as mimencode, are exposed.

 By sending a HTTP POST request, it is possible to write arbitrary data
 to a default file which has world read-write-execute permissions.

 It is then possible to send a HTTP GET request to the written file, to execute
 arbitrary commands remotely. It is also possible to use mimencode to conduct
 directory traversal style attacks, e.g. obtaining a mime encoded copy of
 '/etc/passwd'.

 In addition, the setuid root benetool available to the apache user contains an
 unsafe call to 'ps' and others, allowing for PATH manipulation for
root escalation

 A Metasploit Framework Module is available in the trunk.

Solution:
 Upgrade to 125.10 or above.

References:
 aushack.com advisory
 http://www.aushack.com/200904-contentkeeper.txt

Credit:
 Patrick Webster (patrick@...hack.com)

Disclosure timeline:
 10-Apr-2008 - Discovered during audit.
 18-Jul-2008 - Vendor notified.
 18-Jul-2008 - Vendor response.
 25-Feb-2009 - Vendor confirmed patched version.
 03-Apr-2009 - Public disclosure.

EOF

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ