COMMAND
AnswerBook2
SYSTEMS AFFECTED
- Any systems running a version of AnswerBook2 before 1.4.2
- Answerbook2 version 1.4.2 without the appropriate patch listed below
PROBLEM
Following is based on a Sun Microsystems Security Bulletin.
Sun Solaris(tm) AnswerBook2 ships with an HTTP server (dwhttpd)
that allows users to access Solaris documentation using a web
browser. A vulnerability exists that allows a malicious user to
access the administration of AnswerBook2 as well as the ability
to run arbitrary commands on the remote host as the webserver
user (daemon).
Sun acknowledges, with thanks, Lluis Mora from S21SEC for bringing
this vulnerability to their attention. Mr. LLuis brought more
details to the light of the day.
There are two security bugs in Sun Solaris AnswerBook2 package
that allows a malicious user to access the administration of the
AB2, as well as running arbitrary commands on the remote host as
the user the server runs as.
Sun Solaris AnswerBook2 ships with a HTTP server (dwhttpd,
DynaWeb's httpd) that allows users to access Solaris documentation
using a web browser. By default the server listens on port 8888.
1. Accessing the administration interface
=========================================
The server provides an administration interface that allows the
administrator to manage document collections, view log files, etc.
The administrative interface is not available till you manually
add an administrator to the AnswerBook2 configuration. In order
to use the functions of the administration interface
http://www.example.com:8888/ab2/@Ab2Admin?
you need to validate yourself against the web server.
AB2 comes with a handful of cgi scripts, one of which provides a
secondary way of getting to the administration interface
http://www.example.com:8888/cgi-bin/admin/admin
The CGI accepts some requests without requiring authentication,
one of them allows the administrator to add a new user. It's
possible for a user to create a new user by passing values to the
CGI without being authenticated:
http://www.example.com:8888/cgi-bin/admin/admin?command=add_user&uid=percebe&password=percebe&re_password=percebe"
Sending a request to this URL will auto magically add a new user
to the administration interface, allowing access to it by using
the percebe/percebe authentication pair, where the attacker is
able to read log files and manage its contents.
2. Remote execution of arbitrary commands
=========================================
There is a second bug in the dwhttpd server that allows an
attacker to run arbitrary commands in the host where the
AnswerBook server is running. One of the options you have while
administering the AB2 is to rotate the access and error logs. The
server allows you to specify the target file where the logs will
be rotated to. You can use ../../../../../this/file to create and
overwrite files outside the web server document root directory.
Further investigation showed that the server performs the
following command to rotate the server logs:
sh -c "cp /var/log/ab2/logs/original_log /var/log/ab2/logs/USER_PROVIDED_TARGET"
So an attacker could specify a destination log like "x ; uname -a"
that will translate to:
sh -c "cp /var/log/ab2/logs/original_log /var/log/abs/logs/x ; uname -a"
Thus effectively running an arbitrary command in the remote
server.
Under Solaris (at least 2.6 and 8) the web server runs as user
daemon (uid=1).
These bugs have been verified to be present on the AnswerBook
dwhttpd servers shipped with Solaris 2.6 x86 (dwhttpd v4.0) and
Solaris 8 SPARC (dwhttpd v4.1), as well as the latest release
v4.1.2 available from the vendor website. It is strongly
believed the bug is platform independent and can probably be found
in previous releases.
SOLUTION
Two steps are required to protect against these vulnerabilities.
Step 1) Update AnswerBook2 to the latest version (at least
version 1.4.2) The latest version of AnswerBook2 can be
dowloaded from:
http://www.sun.com/software/ab2/dwnld_versions.html
Step 2) Install the AnswerBook2 patch
Answerbook2 Version Patch ID
__________ _________
1.4.2 110011-02
1.4.2_x86 110012-02