02.06.2008, 21:05
|
|
Reservists Of Antichat - Level 6
Регистрация: 19.03.2007
Сообщений: 953
С нами:
10077446
Репутация:
3965
|
|
Биллинговая система UTM от фирмы NetUp - Множественные уязвимости в NetUP
- Программа: NetUP
- Опасность: Критическая
Описание: Несколько уязвимостей обнаружено в NetUP. Злонамеренный пользователь может получить доступ к системе и манипулировать учетной записью пользователя. - Сценарии "admin" and "utm_stat” не проверяют "sid" параметр. В результате злонамеренный пользователь может внедриться в сессию другого пользователя через SQL инъекцию:
https://[server]/cgi-bin/utm/admin?cmd=full_view&sid=q%22%20OR%201=1%20OR%20%22 q%22=%22q
https://[server]/cgi-bin/utm/utm_stat?cmd=user_report&sid=q%22%20OR%201=1%20OR% 20%22q%22=%22q
- 2. Удаленный пользователь может изменять данные других пользователей, используя уязвимость SQL инъекции в '/cgi-bin/utm/user_stat' script сценарии:
https://[server]/cgi-bin/utm/utm_stat?cmd=change_lang?=ru%22,%20bill=10000,%20l ang=%22ru&sid=sessionid
- Также сообщается, что множество других сценариев уязвимы к SQL инъекции.
UTM allows its administrators to setup firewall rules. Administrator enters
the parameters for ipchains (in case if Linux) or ipfw (FreeBSD) into
webform, and they are stored in MySQL, and executed with help of sudo. A
malicious administrator can add semicolon and any shell commands to the
firewall rule, and this commands will be executed with uid of httpd process
owner.
However, altering firewall rules is disabled in UTM by default. In this case
an attacker can use more complicated way to execute commands:
The problem is that UTM configuration options from /netup/utm/utm.cfg are
exported to global variables after parsing. This happens on each startup of
aaa, admin or utm_stat. After this, dictionary data for corresponding language
is selected from table dict. This data is also exported to global variables.
Column "variable" becomes variable name, and column "value" its value. So, if
one has access to table dict, he can override configuration options from
/netup/utm/utm.cfg. Overriding option sudo_path allows an attacker to
execute shell commands on server running UTM.
Web interface /cgi-bin/utm/admin allows only to change column value of table
dict. But, further examination shows that admin?cmd=dict_change, is subject
to SQL injection similar to utm_stat?cmd=change_lang, described above.
Passing parameter like
value506='touch /tmp/hacked; /usr/local/bin/sudo", variable="sudo_path'
to admin?cmd=dict_change will rewrite global variable sudo_path, and
'touch /tmp/hacked' will be executed with next call to sudo. The HTTP query
itself is very big, because all rows in table dict are changed with one
query (stupid!), so the query won't be shown here.
-------
Gaining root access
Once an attacker can execute shell commands with uid of httpd process
owner (usually nobody), in most cases he can gain a root shell. The problem
is that in all boxes running UTM sudoers file contains a line:
nobody ALL= NOPASSWD: /bin/mv
So moving from httpd uid to uid 0 is quite easy.
(I don't really know reason for this, but it is even suggested to do it
on vendor's website http://www.netup.ru/?fid=31)
__________________
BlackHat. MoDL
|
|
|