COMMAND

    Cobalt RaQ

SYSTEMS AFFECTED

    Cobalt RaQ servers (Linux?)

PROBLEM

    Michael Righi  discovered a  flaw in  the Cobalt  RaQ servers that
    lets  malicious   users  enter   the  system,   find  the   system
    administrator's   password,   and   gain   access   to   sensitive
    information.  Righi was able to obtain the root, or administrator,
    passwords  to  three  Web  sites  by  searching  the sites for the
    history file  through a  Web browser.   What's more,  Righi easily
    found which sites run RaQ by using a simple search engine,  thanks
    to another feature of the RaQ  setup process.   When RaQ  installs
    itself, it generates a live Web page that reads "Welcome to Cobalt
    RaQ."  By doing  a search for that  phrase, anyone can find  sites
    using the appliance.

    The /etc/skel  directory does  not populate  user directories with
    any files other than the index.html file and a private  directory.
    However, if  a user  telnets into  the box  and runs various shell
    commands,  the  bash  shell  maintains  a .bash_history file.  The
    .bash_history file is  readable by the  web server.   If the admin
    user inadvertently types the root password at the command line (as
    a command rather than as an authentication response), the password
    will be  recorded in  the .bash_history  file.   This only affects
    people who telnet into the machine and make the mistake of  typing
    their password in as a command.

    Even the  patch released  by Cobalt  (see below)  appears to  only
    remove the  current .bash_history  file.   It does  not change the
    name, location or permissions of the file.

        Cobalt OS Patch (2700R)Release 2.0
        Cobalt OS Release 3.0
        FrontPage98 Server Extensions Release 3.0
        Shell History Patch Release 1.0


        [root@raq admin]# pwd
        /home/sites/home/users/admin

        [root@raq admin]# ls -al
        total 58
        drwxrwxr-x   5 httpd    home         1024 Feb 26 06:08 .
        drwxrwxr-x   3 httpd    home         1024 Jan 12 18:31 ..
        -rw-rw-r--   1 httpd    home         5758 Jan 12 18:31 index.html
        drwx------   2 httpd    home         1024 Feb 13 02:01 mail

        [root@raq admin]# telnet localhost
        Trying 127.0.0.1...
        Connected to localhost.
        Escape character is '^]'.

        Cobalt Linux release 3.0 (Fargo)
        Kernel 2.0.34 on a mips

        login: admin
        Password:
        Last login: Fri Feb 26 06:07:42 from localhost

        [admin@raq admin]$ ls -al
        total 58
        drwxrwxr-x   5 httpd    home         1024 Feb 26 06:08 .
        drwxrwxr-x   3 httpd    home         1024 Jan 12 18:31 ..
        -rw-rw-r--   1 httpd    home         5758 Jan 12 18:31 index.html
        drwx------   2 httpd    home         1024 Feb 13 02:01 mail

        [admin@raq admin]# exit

        [root@raq admin]# ls -al
        total 59
        drwxrwxr-x   5 httpd    home         1024 Feb 26 06:13 .
        drwxrwxr-x   3 httpd    home         1024 Jan 12 18:31 ..
        -rw-r--r--   1 admin    users          12 Feb 26 06:13 .bash_history
        -rw-rw-r--   1 httpd    home         5758 Jan 12 18:31 index.html
        drwx------   2 httpd    home         1024 Feb 13 02:01 mail
        [root@raq admin]#

    The  .bash_history  file  is  still  created  even after the Shell
    History Patch Release 1.0 is applied to the RaQ and is still world
    readable.

SOLUTION

    Cobalt has  released a  security patch  in the  form of  a package
    file that  is installed  through the  web interface.   The package
    file  changes  file  permissions  for  all hidden files other than
    .htaccess in user home  directories.  Package files  are available
    at:

        ftp://ftp.cobaltnet.com/pub/security

    or looking for:

        ShellHistoryPatch-1.0.pkg

    Due  to  problems  that  come  with  patch  mentioned  above,  use
    following fix.  Add the following lines to /etc/profile:

        touch $HISTFILE
        chmod 600 $HISTFILE

    For the really paranoid, place the following line before the touch
    command:

        HISTFILE=~/.some.other.name

    Also,  what  Cobalt  could  do  to  permanently stop dotfiles from
    getting out onto the net is to add the following to Apache's  conf
    file:

        <FilesMatch "^\.">
        order allow,deny
        deny from all
        </FilesMatch>

    This  would  prevent  any  file  beginning  with  a dot from being
    allowed out through the web.