COMMAND
Cobalt RaQ
SYSTEMS AFFECTED
Cobalt RaQ servers (Linux?)
PROBLEM
Michael Righi discovered a flaw in the Cobalt RaQ servers that
lets malicious users enter the system, find the system
administrator's password, and gain access to sensitive
information. Righi was able to obtain the root, or administrator,
passwords to three Web sites by searching the sites for the
history file through a Web browser. What's more, Righi easily
found which sites run RaQ by using a simple search engine, thanks
to another feature of the RaQ setup process. When RaQ installs
itself, it generates a live Web page that reads "Welcome to Cobalt
RaQ." By doing a search for that phrase, anyone can find sites
using the appliance.
The /etc/skel directory does not populate user directories with
any files other than the index.html file and a private directory.
However, if a user telnets into the box and runs various shell
commands, the bash shell maintains a .bash_history file. The
.bash_history file is readable by the web server. If the admin
user inadvertently types the root password at the command line (as
a command rather than as an authentication response), the password
will be recorded in the .bash_history file. This only affects
people who telnet into the machine and make the mistake of typing
their password in as a command.
Even the patch released by Cobalt (see below) appears to only
remove the current .bash_history file. It does not change the
name, location or permissions of the file.
Cobalt OS Patch (2700R)Release 2.0
Cobalt OS Release 3.0
FrontPage98 Server Extensions Release 3.0
Shell History Patch Release 1.0
[root@raq admin]# pwd
/home/sites/home/users/admin
[root@raq admin]# ls -al
total 58
drwxrwxr-x 5 httpd home 1024 Feb 26 06:08 .
drwxrwxr-x 3 httpd home 1024 Jan 12 18:31 ..
-rw-rw-r-- 1 httpd home 5758 Jan 12 18:31 index.html
drwx------ 2 httpd home 1024 Feb 13 02:01 mail
[root@raq admin]# telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Cobalt Linux release 3.0 (Fargo)
Kernel 2.0.34 on a mips
login: admin
Password:
Last login: Fri Feb 26 06:07:42 from localhost
[admin@raq admin]$ ls -al
total 58
drwxrwxr-x 5 httpd home 1024 Feb 26 06:08 .
drwxrwxr-x 3 httpd home 1024 Jan 12 18:31 ..
-rw-rw-r-- 1 httpd home 5758 Jan 12 18:31 index.html
drwx------ 2 httpd home 1024 Feb 13 02:01 mail
[admin@raq admin]# exit
[root@raq admin]# ls -al
total 59
drwxrwxr-x 5 httpd home 1024 Feb 26 06:13 .
drwxrwxr-x 3 httpd home 1024 Jan 12 18:31 ..
-rw-r--r-- 1 admin users 12 Feb 26 06:13 .bash_history
-rw-rw-r-- 1 httpd home 5758 Jan 12 18:31 index.html
drwx------ 2 httpd home 1024 Feb 13 02:01 mail
[root@raq admin]#
The .bash_history file is still created even after the Shell
History Patch Release 1.0 is applied to the RaQ and is still world
readable.
SOLUTION
Cobalt has released a security patch in the form of a package
file that is installed through the web interface. The package
file changes file permissions for all hidden files other than
.htaccess in user home directories. Package files are available
at:
ftp://ftp.cobaltnet.com/pub/security
or looking for:
ShellHistoryPatch-1.0.pkg
Due to problems that come with patch mentioned above, use
following fix. Add the following lines to /etc/profile:
touch $HISTFILE
chmod 600 $HISTFILE
For the really paranoid, place the following line before the touch
command:
HISTFILE=~/.some.other.name
Also, what Cobalt could do to permanently stop dotfiles from
getting out onto the net is to add the following to Apache's conf
file:
<FilesMatch "^\.">
order allow,deny
deny from all
</FilesMatch>
This would prevent any file beginning with a dot from being
allowed out through the web.