| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 25 Dec 2011 02:45:39 +0100 From: sd <sd@...ksheep.org> To: full-disclosure@...ts.grok.org.uk Subject: Re: AirOS remote root 0day The bug is lighttpd's. It's whitelist is applied to actual url (thus allowing .cgi, .css, .gif etc, according to its whitelist). However that pesky PATHINFO feature strips all trailing path components in hopes of finding a valid path (/admin.cgi/blah.(css|gif|js...)) becomes just /admin.cgi). Actual trailing paths granting arbitrary CGI access: airos.allow = ( ".ico", ".gif", ".png", ".jpg", ".js", ".css", "jsl10n.cgi", "poll.cgi", "airview.jar.pack.gz", "airview_manager.jnlp", "airview.jnlp", "airview.uavr", "/login.cgi", "/ticket.cgi" ) Note that this is a common bug (elaborate security company tract pending :) and exploit evading cgi access restrictions based on url rules. Fixing it, surprisinly, is not easy - all filters provided by airos.allow/deny are strncmp() applied to the end of original (pre-pathinfo) uri and pretty much useless. Just upgrade to fw 5.3.5 released few days ago by ubiquity. Additional L7 rules anywhere upstream are embarassingly ineffective (just use http url escaping to evade) and merely stops skynet from spreading Also, the shell worm spreading using this renames /admin.cgi to /adm.cgi - for you guys having trouble actually exploing infected systems :) 2011/12/23 Christopher Granger <chrisgrangerx@...il.com>: > Does anyone have additional information about this vulnerability? > > It looks like it can be exploited by requesting: > > http://[X.X.X.X]/admin.cgi/[any or no filename string].css > > Although http://gregsowell.com/?p=3428 states: "The exploit appears to be a > flaw in the admin.cgi file(CORRECTION…IT IS ALL PAGES SO WE WILL BLOCK ALL > CGI)." > > However, this last runs counter to what I've seen so far ... > > Thanks, > -Chris > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists