what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Next Generation Security Advisory 2002.4

Next Generation Security Advisory 2002.4
Posted Nov 19, 2002
Authored by FJ Serna, NGSSoftware | Site ngsec.com

The iPlanet WebServer v4.x up to SP11 contains vulnerabilities which allow remote root command execution by using a cross site scripting vulnerability to redirect the Administrator's browser to a URL in a vulnerable perl script that will cause the open() command injection.

tags | advisory, remote, root, perl, vulnerability, xss
SHA-256 | e6d57374873ddcf0334a40142fc81f76dc5c0eaf48548811bef588fe324a0d20

Next Generation Security Advisory 2002.4

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




Next Generation Security Technologies
http://www.ngsec.com
Security Advisory


Title: iPlanet WebServer, remote root compromise
ID: NGSEC-2002-4
Application: iPlanet WebServer 4.* up to SP11
Date: 11/19/2002
Status: Vendor contacted on 09/28/2002, (Sun Microsystems).
Platform(s): Unix & Windows OSs.
Author: Fermín J. Serna <fjserna@ngsec.com>
Location: http://www.ngsec.com/docs/advisories/NGSEC-2002-4.txt


Overview:
- ----------

Under certain circumstances an attacker can execute commands (usually
as root), using the combination of two security vulnerabilities on
iPlanet Web Server 4.* up to SP11 (NG-XSS).

These two vulnerabilities are:

- Insecure open()s at Admin Server PERL scripts
- Cross Site Scripting

The only need will be, through social skills, to have the Administrator
review the logs within iPlanet Admin Server.

This vulnerability can not be exploited on a 6.* version because XSS
was silently fixed in these releases.

Find a detailed vulnerability analysis of NG-XSS on iPlanet WebServers
in our WhitePaper "iPlanet NG-XSS Vulnerability Analysis" at:

http://www.ngsec.com/ngresearch/ngwhitepapers/


Technical description:
- -----------------------

If we consider each vulnerability alone, we have no chance to execute
commands at the iPlanet Web Server since XSS payload is Browser Hijacking
and the vulnerable PERL script is protected by an authentication schema.

iPlanet Web Server suffers from a XSS vulnerability when the Administrator
reviews the error logs through iPlanet Admin Server. XSS triggers once
the Administrator has successfully logged on the Admin Server.

The trick is not to exploit the open() PERL vulnerability directly, but
use instead the XSS to redirect the Administrator's browser to the URL
that will cause the open() command injection.
Since he is already authenticated, we bypass the authentication schema.

We will use the following Javascript code:

<script>
window.location="/https-admserv/bin/perl/importInfo?dir=|<command>%00";
</script>


Proof of vulnerability:
- ------------------------

Find an exploit for this vulnerability at:

http://www.ngsec.com/ngresearch/ngadvisories/

There is a case study exploitation (sending the attacker an xterm) with
some screenshots, in the aboved mentioned WhitePaper.


Recommendations:
- -----------------
Avoid iPlanet's Admin Server usage, until Sun releases a patch for
these vulnerabilities. Alternatively upgrade to iPlanet v.6.*

This vulnerability could not have been exploited on a NGSecureWeb(r)
protected iPlanet Web Server.

Find more information on NGSecureWeb features at:

http://www.ngsec.com/ngproducts/ngsw/

- --
More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/
PGP Key: http://www.ngsec.com/pgp/labs.asc

Copyright(c) 2002 NGSEC. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE92XIKKrwoKcQl8Y4RAuXSAJwNS9/YzjFxvB4ZZ3taRMCtoqdZ6ACfXO4z
SiYhxDlBjC01gcs9BabvSkc=
=3aXf
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close