COMMAND

    AnswerBook2

SYSTEMS AFFECTED

    - Any systems running a version of AnswerBook2 before 1.4.2
    - Answerbook2 version 1.4.2 without the appropriate patch listed below

PROBLEM

    Following  is  based  on  a  Sun  Microsystems  Security Bulletin.
    Sun Solaris(tm)  AnswerBook2 ships  with an  HTTP server (dwhttpd)
    that  allows  users  to  access  Solaris documentation using a web
    browser.  A vulnerability exists  that allows a malicious user  to
    access the administration  of AnswerBook2 as  well as the  ability
    to run  arbitrary commands  on the  remote host  as the  webserver
    user (daemon).

    Sun acknowledges, with thanks, Lluis Mora from S21SEC for bringing
    this vulnerability  to their  attention.   Mr. LLuis  brought more
    details to the light of the day.

    There are  two security  bugs in  Sun Solaris  AnswerBook2 package
    that allows a malicious user  to access the administration of  the
    AB2, as well as running  arbitrary commands on the remote  host as
    the user the server runs as.

    Sun  Solaris  AnswerBook2  ships  with  a  HTTP  server  (dwhttpd,
    DynaWeb's httpd) that allows users to access Solaris documentation
    using a web browser.  By default the server listens on port 8888.

    1. Accessing the administration interface
    =========================================
    The server  provides an  administration interface  that allows the
    administrator to manage document collections, view log files, etc.
    The administrative  interface is  not available  till you manually
    add an administrator to  the AnswerBook2 configuration.   In order
    to use the functions of the administration interface

        http://www.example.com:8888/ab2/@Ab2Admin?

    you need to validate yourself against the web server.

    AB2 comes with a handful of  cgi scripts, one of which provides  a
    secondary way of getting to the administration interface

        http://www.example.com:8888/cgi-bin/admin/admin

    The CGI  accepts some  requests without  requiring authentication,
    one of  them allows  the administrator  to add  a new  user.  It's
    possible for a user to create a new user by passing values to  the
    CGI without being authenticated:

        http://www.example.com:8888/cgi-bin/admin/admin?command=add_user&uid=percebe&password=percebe&re_password=percebe"

    Sending a request to this URL  will auto magically add a new  user
    to the administration  interface, allowing access  to it by  using
    the  percebe/percebe  authentication  pair,  where the attacker is
    able to read log files and manage its contents.

    2. Remote execution of arbitrary commands
    =========================================
    There  is  a  second  bug  in  the  dwhttpd  server that allows an
    attacker  to  run  arbitrary  commands  in  the  host  where   the
    AnswerBook server is running.   One of the options you  have while
    administering the AB2 is to rotate the access and error logs.  The
    server allows you to specify  the target file where the  logs will
    be rotated to. You can use ../../../../../this/file to create  and
    overwrite files  outside the  web server  document root directory.
    Further  investigation  showed  that   the  server  performs   the
    following command to rotate the server logs:

        sh -c "cp /var/log/ab2/logs/original_log /var/log/ab2/logs/USER_PROVIDED_TARGET"

    So an attacker could specify a destination log like "x ; uname -a"
    that will translate to:

        sh -c "cp /var/log/ab2/logs/original_log /var/log/abs/logs/x ; uname -a"

    Thus  effectively  running  an  arbitrary  command  in  the remote
    server.

    Under Solaris (at  least 2.6 and  8) the web  server runs as  user
    daemon (uid=1).

    These bugs  have been  verified to  be present  on the  AnswerBook
    dwhttpd servers shipped  with Solaris 2.6  x86 (dwhttpd v4.0)  and
    Solaris 8  SPARC (dwhttpd  v4.1), as  well as  the latest  release
    v4.1.2  available  from  the  vendor  website.     It  is strongly
    believed the bug is platform independent and can probably be found
    in previous releases.

SOLUTION

    Two steps are required to protect against these vulnerabilities.
    Step 1)  Update  AnswerBook2   to  the  latest  version  (at least
             version 1.4.2) The latest  version of AnswerBook2 can  be
             dowloaded from:

             http://www.sun.com/software/ab2/dwnld_versions.html

    Step 2)  Install the AnswerBook2 patch

             Answerbook2 Version       Patch ID
             __________                _________
             1.4.2                     110011-02
             1.4.2_x86                 110012-02