Zeus is a high-performance web server available from Zeus Technologies (www.zeus.co.uk). There are several security problems in this product, that when combined together, could yield a remote root compromise.
This is really the core of the problem. Zeus has the option to setup a search engine for your virtual website(s). This feature is accessible via www.zeus.server/search (not /search/). The engine is an optional feature, and if available, it can be used to request any file that's accessible by the web server uid (which is asked for on install - unwise administrators may pick 'root', which is a bad choice. We shall assume they pick the typical 'nobody'). The mechanism is in the search form:
Notice the values for indexfile and template. Hard server paths are usually a good give-away.
Now if we recreate our own form, we can change the values of indexfile and template to suit our liking. Modifying indexfile will get us nowhere, as it will be virtually impossible to find a file (worth reading) that Zeus will read as a search index (since it's not in the proper internal format). However, the template is more interesting. This is the file that is opened and given to us, simply by replacing a few variables to insert the search output. Well, who needs search output. If we change template to be /etc/passwd, you'll get /etc/passwd as your search result. Simple enough.
Administrative interface password:
Zeus comes with a web UI for administration. This server is typically plopped on port 9090, and is installed as ROOT. This is important, since it needs to change the configuration files around. There is no option to run it not as root, due to insufficient permissions to open and modify various configuration files.
The only thing stopping us from using it is an http authentication login. And since we can read any file on the server, we can easily read the file with the administrative password. The configuration file for the administrative website is (by default) /usr/local/zeus/admin/website. In this file you'll see a line similar to:
This is the username/password combination. The default is 'admin' for a user, but the password is queried on install. The format is pretty simple -- base 64 uuencoded MD5 hash. Let's see an example:
My password is 'admrox'. First we make a small file with the following contents:
A little byte inversion, and we have a match. Based on this you can modify your brute force password cracker of choice to run through the available choices (The best known tool for this is John the Ripper).
Using the web administration UI
This is just more of an afterthought. It's possible to do many nasty things, including making a virtual website whose document root is /, enabling file uploads (via http PUT method), etc. If you enable file uploads, you can upload binaries or Zeus scripts into the web administration UI directory (default is /usr/local/zeus/admin/docroot ) and then call them through the UI--which will then be ran as root.
Solution:
You should immediately disable the search engine on any virtual sites you may have. This will stop the attack. It is also wise to restrict access to the web administration UI to a selected few hosts. The ability to do this is provided in the web UI.
