From labs@ngsec.com Wed Nov 20 22:46:47 2002 From: "labs@NGSEC" To: bugtraq@securityfocus.com Date: Tue, 19 Nov 2002 03:58:26 +0000 (GMT) Subject: iPlanet WebServer, remote root compromise [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Next Generation Security Technologies http://www.ngsec.com Security Advisory Title: iPlanet WebServer, remote root compromise ID: NGSEC-2002-4 Application: iPlanet WebServer 4.* up to SP11 Date: 11/19/2002 Status: Vendor contacted on 09/28/2002, (Sun Microsystems). Platform(s): Unix & Windows OSs. Author: Fermín J. Serna Location: http://www.ngsec.com/docs/advisories/NGSEC-2002-4.txt Overview: - ---------- Under certain circumstances an attacker can execute commands (usually as root), using the combination of two security vulnerabilities on iPlanet Web Server 4.* up to SP11 (NG-XSS). These two vulnerabilities are: - Insecure open()s at Admin Server PERL scripts - Cross Site Scripting The only need will be, through social skills, to have the Administrator review the logs within iPlanet Admin Server. This vulnerability can not be exploited on a 6.* version because XSS was silently fixed in these releases. Find a detailed vulnerability analysis of NG-XSS on iPlanet WebServers in our WhitePaper "iPlanet NG-XSS Vulnerability Analysis" at: http://www.ngsec.com/ngresearch/ngwhitepapers/ Technical description: - ----------------------- If we consider each vulnerability alone, we have no chance to execute commands at the iPlanet Web Server since XSS payload is Browser Hijacking and the vulnerable PERL script is protected by an authentication schema. iPlanet Web Server suffers from a XSS vulnerability when the Administrator reviews the error logs through iPlanet Admin Server. XSS triggers once the Administrator has successfully logged on the Admin Server. The trick is not to exploit the open() PERL vulnerability directly, but use instead the XSS to redirect the Administrator's browser to the URL that will cause the open() command injection. Since he is already authenticated, we bypass the authentication schema. We will use the following Javascript code: Proof of vulnerability: - ------------------------ Find an exploit for this vulnerability at: http://www.ngsec.com/ngresearch/ngadvisories/ There is a case study exploitation (sending the attacker an xterm) with some screenshots, in the aboved mentioned WhitePaper. Recommendations: - ----------------- Avoid iPlanet's Admin Server usage, until Sun releases a patch for these vulnerabilities. Alternatively upgrade to iPlanet v.6.* This vulnerability could not have been exploited on a NGSecureWeb(r) protected iPlanet Web Server. Find more information on NGSecureWeb features at: http://www.ngsec.com/ngproducts/ngsw/ - -- More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/ PGP Key: http://www.ngsec.com/pgp/labs.asc Copyright(c) 2002 NGSEC. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE92XIKKrwoKcQl8Y4RAuXSAJwNS9/YzjFxvB4ZZ3taRMCtoqdZ6ACfXO4z SiYhxDlBjC01gcs9BabvSkc= =3aXf -----END PGP SIGNATURE-----