Home page logo
/

bugtraq logo Bugtraq mailing list archives

Directory Traversal in Sun iPlanet Administration Server 5.1
From: "Brewis, Mark" <mark.brewis () eds com>
Date: Fri, 8 Aug 2003 13:33:24 +0100

Text of original posting to Sun:

Originator: EDS Information Assurance Group - Jim Hardisty, Mark Brewis

Date of Contact: 22nd April 2003

Issue:During a recent Penetration Test, a member of the team, Jim
Hardisty, identified an issue with an installation of >>iPlanet
Administration Express.  It is possible to escape the log viewer under
iPlanet Administration Express, and 
since the application runs with root privilege, it is possible to access
any file on the host server, including 
security critical files.

Version:         iPlanet Administration Server 5.1

The following URL will return the last 5000 accesses to passwd:

http://192.168.192.168:5000/admin-serv/tasks/configuration/ViewLog?file=pa
sswd&num=5000
&str=&directories=admin-serv%2Flogs%2f..%2f..%2f..%2f..%2f..%2f..%2fetc&id=a
dmin-serv

Once an escape has been made, the drop-down menu details all files under
the called directory, e.g., /etc will lists 
shadow, hosts, hosts.allow, hosts.deny etc.

We have identified users:

       1) Failing to recognise the nature of the application, seeing it
only as a web configuration app, and not 
              appreciating that it runs setuid 0.  As a result, they have
been cavalier with password security, applying >>                poor
password controls, and have not applied ACLs to prevent unlimited internal
access to the application.
       
       2) Failing to apply a password to the application.  During
install, there must be a forced set password, and 
              end-user must understand that this is a root level password
they are setting.

       3) Exposing the application to the Internet.

Whether there are other escape sequences that will work is unknown.

__________________


We will abide by the RFP Disclosure Guidelines v2.0 -
www.wiretrip.net/rfp/policy.html.

Should credit be forthcoming coming, please acknowledge Jim Hardisty as
the discoverer, me as second string.

Mark Brewis
Security Consultant
Information Assurance Group
EDS

SOLUTION
=========

Sun have now informed me that the issue was addressed in:

SunOne DS5.2 and in iDS5.1 SP2 Hotfix2

Sun(tm) ONE Directory Server 5.2 Release Notes 
Version 5.2
http://docs.sun.com/source/816-6703-10/index.html


iPlanet Directory Server 5.1 Service Pack 2 
Release Notes
Updated June 11, 2003
http://docs.sun.com/db/doc/816-6403-10

I am unable to find a reference for Hotfix 2, so if anyone can supply one
I'd be grateful, or if anyone can find a reference to this issue in either
of the above, I'd be even more grateful!

Mark

Mark Brewis

Security Consultant
EDS
Information Assurance Group
Wavendon Tower
Milton Keynes
Buckinghamshire
MK17 8LX.

Tel:    +44 (0)1908 28 4234/4013
Fax:    +44 (0)1908 28 4393
E@:     mark.brewis () eds com

This email is confidential and intended solely for the use of the
individual(s) to whom it is addressed. Any views or opinions presented are
solely those of the author.  If you are not the intended recipient, be
advised that you have received this email in error and that any use,
dissemination, forwarding, printing, or copying of this mail is strictly
prohibited.

Precautions have been taken to minimise the risk of transmitting software
viruses, but you must carry out your own virus checks on any attachment to
this message. No liability can be accepted for any loss or damage caused by
software viruses.


  By Date           By Thread  

Current thread:
  • Directory Traversal in Sun iPlanet Administration Server 5.1 Brewis, Mark (Aug 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]