ContentKeeper Command Execution and Privilege Escalation
6 Apr. 2009
Summary
"ContentKeeper is an industry leading Internet content filter that allows organisations to monitor, manage, control & secure staff access to Internet resources." Unauthenticated users with access to the management IP address of the ContentKeeper device may execute commands remotely as the apache user. Furthermore, a privilege escalation vulnerability is present allowing for unauthenticated remote root compromise.
Vulnerable Systems:
* ContentKeeper version 125.09 and prior
Immune Systems:
* ContentKeeper version 125.10
The appliance is administered by use of a web browser HTML based front end. The .htaccess file prohibits unauthenticated access to known HTML management pages, however other binaries, such as mimencode, are exposed.
By sending a HTTP POST request, it is possible to write arbitrary data to a default file which has world read-write-execute permissions.
It is then possible to send a HTTP GET request to the written file, to execute arbitrary commands remotely. It is also possible to use mimencode to conduct directory traversal style attacks, e.g. obtaining a mime encoded copy of '/etc/passwd'.
In addition, the setuid root benetool available to the apache user contains an unsafe call to 'ps' and others, allowing for PATH manipulation for root escalation
Solution:
Upgrade to ContentKeeper version 125.10 or newer.
