TUCoPS :: SunOS/Solaris :: solarsab.txt

Solaris answerbook web server contains a bunch of security holes.
 


[ http://www.rootshell.com/ ]

Date:         Sun, 23 Aug 1998 21:02:30 -0700
From:         Marc Slemko <marcs@ZNEP.COM>
Subject:      Solaris ab2 web server is junk

For anyone who didn't figure out in the first two seconds after installing
Solaris that running Sun's (well, ok, it is some third party server but
Sun is licensing it) answerbook web server is silly, now you know.

I do not know if any of the below has been fixed by more recent patches
and haven't looked at it since the start of May when I sent the below to
Sun.

---------- Forwarded message ----------
Date: Sat, 2 May 1998 00:42:05 -0600 (MDT)
From: Marc Slemko <marcs@znep.com>
To: security-alert@Sun.COM
Subject: report ab2 web server is junk

Are you aware of what a pile of junk the dwhttpd/3.1a4 web server that is
installed for the ab2 stuff in 2.6 is?

It is trivial to make it stop processing CGI requests by doing
a POST with a large content-length; further CGI requests then
fail with an out of memory or something.

It doesn't handle %-encoding and logs in a funky way, which results
in URLs with printf-style '%' strings in getting funky log
entries.  For example, accessing http://apollo:8888/foo/%s gives
a log entry of:

http-8888 [02/May/2000:00:24:12 -0600] warning: send-file reports: The requested8ãÿß$þßGÇßßÇßÓ×Èߪä¾ÈßÊ" could not be opened!

It is interpreting the %s as a printf style format string.  This could,
if you can find the right error message and have the right junk
memory accessed, possibly compromise information from the address
space of the server that shouldn't be compromised.  Not likely,
but possible.  Note that this mishandling of %-encoded strings also
rejects valid requests that are % encoded, but the server doesn't
even start to be HTTP compliant so that probably doesn't matter.

You can cause it to core dump trivially in many ways.  Requesting
/foo.cgi makes it die, as does a request that is long enough to
get an ENAMETOOLONG (causes it to try opening ""), or even longer
(causes it to die with an assertion failure):

   Assertion failed: buffer && len > 0 && timeout >= 0, file ../dwhttpd/dwsocket.cc, line 294\n

All of the above is lame and can possibly result in some security
problems, but since this server obviously isn't intended to have any
real use then the DoS attacks aren't overly serious.  None of these
appear to be buffer overflow problems.

More serious, however, is this excerpt from a truss of it handling
a request:

poll(0xDED00A60, 1, 120000)                     = 1
recv(12, " G E T   /   H T T P / 1".., 4096, 0) = 261
xstat(2, "/usr/lib/ab2/data/docs/", 0xDED03BB4) = 0
xstat(2, "/tmp/ecm/utf8.so", 0xDED03024)        Err#2 ENOENT
xstat(2, "/usr/lib/ab2/lib/ecm/utf8.so", 0xDED03024) Err#2 ENOENT
xstat(2, "/usr/lib/ab2/dweb/sunos5/lib/ecm/utf8.so", 0xDED03024) = 0
open("/usr/lib/ab2/dweb/sunos5/lib/ecm/utf8.so", O_RDONLY) = 13

Why the heck is it trying to open a shared library under /tmp?
I see nothing stopping me from creating my own trojaned utf8.so
and putting it in /tmp/ecm to gain easy access to the daemon
uid.  I don't think I did anything locally to cause it to do
this, but I can't see where it is getting /tmp from either.
It isn't in the LD_LIBRARY_PATH that is getting set by
/etc/init.d/ab2mgr.

No, access to daemon doesn't give you that much (although it could
do more if you had some NFS mounts from another server where it
did matter) and none of the above is a remote exploit, but finding
all this in 15 minutes of looking is enough to convince me that
there is a high probability of their being some yet-unpublished
remote exploit to gain access to the box remotely.  Doesn't look
like a very professional piece of software.  Just another thing on
my list of things to disable on any Solaris installation.

Some of this may be x86 specific, didn't bother to look on a sparc
box.

Tests done on the below system:

Hostname: apollo
Hostid: 208316d8
Release: 5.6
Kernel architecture: i86pc
Application architecture: i386
Hardware provider:
Domain:
Kernel version: SunOS 5.6 Generic 105182-04 January 1998

OpenWindows version:
OpenWindows Version 3.6  7 July 1997
Patch: 105402-07 Obsoletes: 105525-01 Requires:  Incompatibles:  Packages: SUNWcsu, SUNWarc, SUNWnisu
Patch: 105217-03 Obsoletes:  Requires: 105402-07 Incompatibles:  Packages: SUNWcsu
Patch: 105394-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsu
Patch: 105519-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsu
Patch: 105666-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsu
Patch: 105668-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsu
Patch: 105616-03 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsu
Patch: 105622-02 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsu, SUNWarc
Patch: 105687-02 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsu
Patch: 105756-03 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsu
Patch: 105737-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsu
Patch: 105758-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsu
Patch: 105747-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsu
Patch: 105725-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsu
Patch: 105723-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsu
Patch: 105719-02 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsu
Patch: 105569-02 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsu
Patch: 105563-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsu, SUNWnisu
Patch: 105517-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsu
Patch: 105491-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsu, SUNWarc, SUNWbtool, SUNWhea, SUNWtoo, SUNWosdem
Patch: 105406-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsu, SUNWarc
Patch: 105398-02 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsu
Patch: 105211-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsu, SUNWarc
Patch: 105423-04 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcar
Patch: 105461-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcar
Patch: 105182-04 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcar, SUNWcar, SUNWhea, SUNWhea
Patch: 105639-02 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcar
Patch: 105620-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWxwplt
Patch: 105670-02 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWdtbas
Patch: 105631-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWdtbas
Patch: 105161-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWdtbas
Patch: 105417-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWaccu
Patch: 105801-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWadmap
Patch: 105229-02 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWos86r
Patch: 105305-03 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWos86r
Patch: 105240-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWos86r, SUNWpsdcr
Patch: 105232-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWos86r, SUNWpsdcr
Patch: 105596-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWos86r
Patch: 105584-09 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWos86r
Patch: 105599-09 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWos86r, SUNWman
Patch: 105656-02 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWos86r
Patch: 105226-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWos86r, SUNWman
Patch: 105247-02 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWos86r, SUNWpsdcr
Patch: 105248-02 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWos86r, SUNWman
Patch: 105674-03 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWos86r, SUNWman
Patch: 105728-07 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWos86r, SUNWman
Patch: 105611-02 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWos86r, SUNWman
Patch: 106189-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWos86r
Patch: 105422-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWapppr
Patch: 105473-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWatfsu
Patch: 105838-02 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWdtdte
Patch: 105704-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWdtdte
Patch: 105567-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWdtdmn
Patch: 105498-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWoldst
Patch: 105559-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWdtdst
Patch: 105339-04 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWdtdst, SUNWdthev, SUNWdtma
Patch: 105744-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWfns
Patch: 105200-03 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWxwpls, SUNWxwscf
Patch: 105194-03 Obsoletes: 103500-08 Requires:  Incompatibles:  Packages: SUNWxwpls
Patch: 105553-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWnisu
Patch: 105404-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWnisu
Patch: 105617-02 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWpsdcr
Patch: 106136-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWpsdcr
Patch: 106203-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWpsdcr
Patch: 105209-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWpsdpr
Patch: 106126-02 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWswmt
Patch: 105427-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWtnfc
Patch: 105408-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWvolu
Patch: 105201-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWxi18n

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH