[<prev] [next>] [day] [month] [year] [list]
Message-ID: <003301c389f9$9c7485d0$050010ac@rootserver>
Date: Fri, 3 Oct 2003 23:59:14 +0200
From: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh@...g-security.com>
To: "Bugtraq" <bugtraq@...urityfocus.com>
Cc: "SecurityTracker" <bugs@...uritytracker.com>,
"SecurITeam News" <news@...uriteam.com>, <full-disclosure@...ts.netsys.com>
Subject: Sun Cobalt RaQ Control Panel Multiple Vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sun Cobalt RaQ Control Panel Multiple Vulnerabilities
- - ------
PRODUCT: Cobalt RaQ Web Control Panel
VENDOR: Sun - Cobal Networks
VULNERABLE VERSIONS:
- Sun Cobalt RaQ Servers Web Control Panel (T.I.N.P)
- Tested in a default configurated Sun Cobalt RaQ server.
control panel
- Sun Cobalt servers using the web based control
panel(T.I.N.P)
- Sun Cobalt RaQ 550 Server Appliance
- - ---------------------
N.TED = Not Tested in a Real Site / Production Site
T.I.N.P = Tested in Non Production Environment
____________
Description:
Sun Cobalt RaQ 550 server appliance integrates the hardware,
software, database and development tools needed to deploy
applications extremely quickly without any prior server experience.
- - ---------------------------------------------
|SECURITY HOLES FOUND and PROOFS OF CONCEPT:|
- - ---------------------------------------------
I found XSS vulnerabilities in the web based Control Panel of
Cobalt RaQ Servers , with this hole you can try to get the target
user information trough the cgi script called message.cgi by
including script code in the info= variable value.
The script is used for the output of system and control messages like
help messages ( "hints" of rollovers for help the user about things
of the
control panel ) .
In addition the ssl support is not enabled for the control panel of
users.
Cobalt Servers are possible affected by the last security hole found
in OpenSSL.
- - ---------
| XSS |
- - ---------
Using the following encoded script:
%3Cscript%3Ealert%28%27XSS%27%29%3B%3C/script%3E
And accessing a vulnerable control panel of a Cobalt RaQ server
pointing this address:
HTTP://[HOST NAME / DOMAIN]:[PORT: 81
]/cgi-bin/.cobalt/message/message.cgi?info=[SCRIPT / XSS CODE]
A working demo of this can be :
http://w-0.h2oformum.foo:81/cgi-bin/.cobalt/message/message.cgi?info=%
3Cscript%3Ealert%28%27XSS%27%29%3B%3C/script%3E
This will include the
%3Cscript%3Ealert%28%27XSS%27%29%3B%3C/script%3E code in the output
and
when the web browser executes it you get a message box:
- - ----JavaScript Application----
| XSS ! |
- - ------------------------------
Thats all , simple and fast but Control Panel doesn't use cookies for
keep the passwords ,
this can be used for get the domain cookies if it is used by other
applications,although
it is a security hole because it demonstrates that the message.cgi
script does not have
an input validation system.
- - ---------------------------------
| SSL SUPPORT NOT PRESENT IN CP |
- - ---------------------------------
I observed that the ssl support is not enabled for the web server
running the control panel
( default webserver of cobalt raq control panel )
but the banner is this:
Server: Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b
mod_auth_pam_external/0.1 mod_perl/1.25
You can try to access but you get nothing ( error connecting ).
Yhis is a problem because it uses basic auth and if some body get
this:
GET /.cobalt/siteManage/www.blah.com/ HTTP/1.1
Host: tobeornottobeavulnerablehost.foo:81
User-Agent: Mozilla/5.0 Mozilla Firebird/0.6.1
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/pl
ain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cache-Control: max-age=0, max-age=0
Authorization: Basic dGVzdDp0ZXN0
HTTP/1.x 200 OK
Date: Fri, 03 Oct 2003 13:37:54 GMT
Server: Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b
mod_auth_pam_external/0.1 mod_perl/1.25
Keep-Alive: timeout=300
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
Look at Authorization: Basic dGVzdDp0ZXN0 , it is base64 encoded ,
decoded value is:
test:test
- - ------------------------------
| LAST OPENSSL SECURITY HOLE |
- - ------------------------------
I think that the version that i checked is affected by the last
OpenSSL security hole.
I haven't tested this but the OpenSSL version is included in the
vulnerable versions range.
- - -----------------
| VENDOR STATUS |
- - -----------------
Ok -> Warned / Contacted
(security-alert@....com)
- ---------------
| CONTACT |
- - -----------
- ------------------------------------------------------
Lorenzo Hernandez Garcia-Hierro
- --- Security Consultant ---
- ------------------NSRGroup-------------------
PGP: Keyfingerprint
D185 3555 8ECD 3921 6B21 ACC6 CEBB 2826 4B4C 283E
ID: 0x4B4C283E
Size: 4096
**********************************
NSRGroup
( No Secure Root Group Security Research Team ) /
( NovaPPC Security Research Group )
http://www.nsrg-security.com
______________________
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBP33jFs67KCZLTCg+EQLcwACfRdYmDfBuAU/8W5vQinI2QPVfkVoAoNRs
L95UKY4zm4x4w5MHHJFVwezM
=Cjl1
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists