lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <006501c389bf$e89df250$050010ac@rootserver>
Date: Fri, 3 Oct 2003 17:06:11 +0200
From: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh@...g-security.com>
To: "Bugtraq" <bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>,
   <security-alert@....com>
Cc: "SecurityTracker" <bugs@...uritytracker.com>
Subject: Sun Cobalt RaQ Control Panel Multiple Vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sun Cobalt RaQ Control Panel Multiple Vulnerabilities
- ------
PRODUCT: Cobalt RaQ Web Control Panel
VENDOR: Sun - Cobal Networks
VULNERABLE VERSIONS:
       
       - Sun Cobalt RaQ Servers Web Control Panel (T.I.N.P)
       - Tested in a default configurated Sun Cobalt RaQ server.
control panel
       - Sun Cobalt servers using the web based control
panel(T.I.N.P)
       - Sun Cobalt RaQ 550 Server Appliance

- ---------------------
N.TED = Not Tested in a Real Site / Production Site
T.I.N.P = Tested in Non Production Environment
____________
Description:

Sun Cobalt RaQ 550 server appliance integrates the hardware,
software, database and development tools needed to deploy
applications extremely quickly without any prior server experience.

- ---------------------------------------------
|SECURITY HOLES FOUND and PROOFS OF CONCEPT:|
- ---------------------------------------------

I found XSS vulnerabilities in the web based Control Panel of
Cobalt RaQ Servers , with this hole you can try to get the target
user information trough the cgi script called message.cgi by
including script code in the info= variable value.
The script is used for the output of system and control messages like
help messages ( "hints" of rollovers for help the user about things
of the
control panel ) .
In addition the ssl support is not enabled for the control panel of
users.
Cobalt Servers are possible affected by the last security hole found
in OpenSSL.

- ---------
|  XSS  | 
- ---------

Using the following encoded script:

  %3Cscript%3Ealert%28%27XSS%27%29%3B%3C/script%3E

And accessing a vulnerable control panel of a Cobalt RaQ server
pointing this address:

HTTP://[HOST NAME / DOMAIN]:[PORT: 81
]/cgi-bin/.cobalt/message/message.cgi?info=[SCRIPT / XSS CODE]

A working demo of this can be :

http://w-0.h2oformum.foo:81/cgi-bin/.cobalt/message/message.cgi?info=%
3Cscript%3Ealert%28%27XSS%27%29%3B%3C/script%3E

This will include the
%3Cscript%3Ealert%28%27XSS%27%29%3B%3C/script%3E code in the output
and 
when the web browser executes it you get a message box:

- ----JavaScript Application----
|           XSS !            |
- ------------------------------

Thats all , simple and fast but Control Panel doesn't use cookies for
keep the passwords ,
this can be used for get the domain cookies if it is used by other
applications,although
it is a security hole because it demonstrates that the message.cgi
script does not have
an input validation system.

- ---------------------------------
| SSL SUPPORT NOT PRESENT IN CP |
- ---------------------------------

I observed that the ssl support is not enabled for the web server
running the control panel
( default webserver of cobalt raq control panel )
but the banner is this:

Server: Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b
mod_auth_pam_external/0.1 mod_perl/1.25

You can try to access but you get nothing ( error connecting ).
Yhis is a problem because it uses basic auth and if some body get
this:

GET /.cobalt/siteManage/www.blah.com/ HTTP/1.1
Host: tobeornottobeavulnerablehost.foo:81
User-Agent: Mozilla/5.0 Mozilla Firebird/0.6.1
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/pl
ain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cache-Control: max-age=0, max-age=0
Authorization: Basic dGVzdDp0ZXN0

HTTP/1.x 200 OK
Date: Fri, 03 Oct 2003 13:37:54 GMT
Server: Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b
mod_auth_pam_external/0.1 mod_perl/1.25
Keep-Alive: timeout=300
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

Look at Authorization: Basic dGVzdDp0ZXN0 , it is base64 encoded ,
decoded value is:

test:test


- ------------------------------
| LAST OPENSSL SECURITY HOLE |
- ------------------------------

I think that the version that i checked is affected by the last
OpenSSL security hole.
I haven't tested this but the OpenSSL version is included in the
vulnerable versions range.

- -----------------
| VENDOR STATUS |
- -----------------

Ok -> Warned / Contacted
(security-alert@....com)
---------------
| CONTACT |
- -----------

Lorenzo Hernandez Garcia-Hierro
- ---Security Consultant---
- --------NSRGroup---------
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1  4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
NSRGroup

( No Secure Root Group Security Research ) 

http://www.nsrg-security.com
______________________

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBP31yeM67KCZLTCg+EQKedwCfe3fYJc8RTu7zCLgLr3IeKbeSrboAnjr9
dWLLVKPOQmlkBiENkvF9T7SB
=uvuK
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ