COMMAND
Cobalt RaQ2
SYSTEMS AFFECTED
Cobalt RaQ1, RaQ2 and RaQ3
PROBLEM
Chuck Pitre posted following. His user was able to change admin
password. To replicate this bug you must have Site Administrator
access to one of the accounts on the server. When you go into the
Site Management for a site and select the User Management option,
you get a list of the usernames that have been setup for that
account. The green pencil edit icon is a command to execute the
JavaScript function modify() and it passes the username as the
only variable into the function. To properly execute a function
from the Location Bar in Netscape, the HTML page has to be the
top frame. One must simply open the userList.html file in a new
frame. When you type "javascript: modify( 'admin' );" into the
Location Bar, the modify() function returns a URL. The URL
returned when accessing it from site is
http://207.153.19.154:81/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi?username=admin&group=site151&949015199230
This loads a standard Modify User page for the "admin" account.
However, when you attempt to change this information by clicking
the "Confirm Modify" button, it returns a JavaScript error because
the function that it calls upon is dependant on the frame layout
of the Site Management page. To overcome this issue we'll simply
download two HTML files to hard disk. One is the index.html file,
other other is the right.html file. Basically we can change the
index.html file to call upon the URL's on your site and had it
load the right.html file locally off your hard disk. We then
change the right.html file to load the URL's on your site but
change the "main" frame source to
http://207.153.19.154:81/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi?username=admin&group=site151&949015199230
- the Modify User page for the "admin" account. It then loads up
with all the correct frames AND the Modify User page for the
"admin" account. Just enter a new password for the user and click
"Confirm Modify" and presto! The admin password is changed
allowing you access to the Server Management page showing all the
server's clients, IP addresses, domain names, and ability to
access all the client's contact people, telephone numbers,
usernames, and passwords. You can also delete any sites/files or
download any sites/files (full access via FTP to the site showing
the root directory of the server, and the ability to delete any
evidence via the /log/ directory).
Nir Simionovich added following. Cobalt QUBE2 machine suffers
from serious securiy flaws. For example, the web GUI interface
once initiated with the admin password, would remember the station
you entered from. Thus, if you don't close your browser, and you
change sites, someone can come to your machine, punch up the QUBE2
admin site, and walla, instant admin.
Another matter was the fact that the QUBE2 isn't SSL managed.
Which made it very simple for me to go and sniff the passwords
out on the network.
SOLUTION
As for For RaQ 3, through improper permissions checking in
/.cobalt/siteUserMod/siteUserMod.cgi, any Site Administrator can
change the password of any regular user or Site Administrator on
the system, but not admin(root).
If your system is at risk you can you can downloaded the relevant
package and install it. These are beta versions of the packages,
Cobalt is currently testing these packages.
RaQ 1 - ftp://ftp.cobaltnet.com/pub/experimental/security/siteUserMod/RaQ1-Security-3.6.pkg
RaQ 2 - ftp://ftp.cobaltnet.com/pub/experimental/security/siteUserMod/RaQ2-Security-2.94.pkg
RaQ 3 - ftp://ftp.cobaltnet.com/pub/experimental/security/siteUserMod/RaQ3-Security-2.2.pkg