TUCoPS :: Linux :: Red Hat/Fedora :: ciack035.htm

Backdoor Password in Red Hat Linux Virtual Server Package
Backdoor Password in Red Hat Linux Virtual Server Package Privacy and Legal Notice


K-035: Backdoor Password in Red Hat Linux Virtual Server Package

April 27, 2000 20:00 GMT

PROBLEM:       A backdoor password exists in Piranha that may allow remote
               attackers to execute commands on the server. Piranha could be
               unknowingly installed, for example, when the Red Hat user
               selects the "install all" option. The Red Hat user need not
               actually use Piranha for the vulnerability to be exploited.
PLATFORM:      The vulnerability is present if version 0.4.12 of piranha-gui
               is installed. The current distribution of Red Hat Linux 6.2 is
               vulnerable. Earlier versions of the Red Hat distribution do not
               contain this vulnerability.
DAMAGE:        An attacker could compromise the web server as well as deface
               and destroy the web site.
SOLUTION:      Install the updated packages to remove the backdoor, and set
               the server administrator password.

VULNERABILITY The risk is HIGH. The server administrator account name and ASSESSMENT: password have appeared in public forums.

[ Start Red Hat Advisory ]

Red Hat, Inc. Security Advisory
Synopsis: Piranha web GUI exposure
Advisory ID: RHSA-2000:014-16
Issue date: 2000-04-18
Updated on: 2000-04-26
Product: Red Hat Linux
Keywords: piranha
Cross references: php

1. Topic:

The GUI portion of Piranha may allow any remote attacker to execute
commands on the server. This may allow a remote attacker to launch
additional exploits against a web site from inside the web server.
This is an updated release that disables Piranha's web GUI interface
unless the site administrator enables it explicitly.

2. Relevant releases/architectures:

Red Hat Linux 6.2 - i386 alpha sparc

3. Problem description:

When Piranha is installed, it generates a 'secure' web interface ID
using the HTML .htaccess method. The information for the account is
placed in /home/httpd/html/piranha/secure/passwords which was supposed
to be released with a blank password. Unfortunately, the password that
is actually on the CD is 'Q'.

The original intent was that, when the administrator installed Piranha
rpms onto their box, that they would change the default blank password
to a password of their own choosing.

This is not a hidden account. Its only use is to protect the web pages
from unauthorized access.

The security problem arises from the
http://localhost/piranha/secure/passwd.php3 file. It is possible to
execute commands by entering 'blah;some-command' into the password
fields. Everything after the semicolon is executed with the same
privilege as the webserver.

Because of this, it is possible to compromise the webserver or do
serious damage to files on the site that are owned by the user
'nobody' or to export a shell using xterm.

Updated piranha packages released as version 0.14.3-1 fixed the
security vulnerability while still require for the default behavior
of requiring the web administrator to reset the password before making
the web site public.

Because of the security concerns from the community and in order to
protect innocent administrators that might not be aware of the need to
change the password for Piranha's interface before going live on the
Internet, Red Hat is releasing a new set of packages that disable the
piranha web interface by default. The site administrator will have to
enable the service from the command line by resetting the password as
detailed on the main page of the piranha utility.

The new packages that include these changes are known as version

Users of Red Hat Linux 6.2 are strongly encouraged to upgrade to the
new packages if they are actively using piranha on their system
(upgrade instructions follow) or to remove the piranha-gui package
altogether by issuing the following command:

rpm -e piranha-gui

4. Solution:

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.

When you install the update for the piranha-gui, please take a
moment to review the instructions presented on the following URL
(http://localhost/piranha). This should guide you through the process
of installing a password for use with the GUI.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):


6. Obsoleted by:


7. Conflicts with:


8. RPMs required:

Red Hat Linux 6.2:









9. Verification:

MD5 sum                           Package Name

7c9cad243857f3e90cb73457619ad3a0 6.2/SRPMS/piranha-0.4.14-1.src.rpm

179e502f88f149fe3bfb285af851a6d3 6.2/alpha/piranha-0.4.14-1.alpha.rpm



1e04357c0ebb004185b834152667c644 6.2/i386/piranha-0.4.14-1.i386.rpm






These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at: http://www.redhat.com/corp/contact.html

You can verify each package with the following command:

rpm --checksig

If you only wish to verify that each package has not been corrupted
or tampered with, examine only the md5sum with the following command:

rpm --checksig --nogpg

10. References:

This vulnerability was discovered and researched by Allen Wilson and
Dan Ingevaldson of Internet Security Systems. Red Hat would like to
thank ISS for the assistance in getting this problem fixed quickly.

[ End Red Hat Advisory ]

CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
[Privacy and Legal Notice]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2023 AOH