cobalt.raq.txt

`Date: Thu, 25 Feb 1999 07:59:30 -0700 (MST)  
From: mea culpa <[email protected]>  
To: InfoSec News <[email protected]>  
Subject: [ISN] Teenager Finds Web-server hole.   
  
  
Forwarded From: William Knowles <[email protected]>  
  
http://www.wired.com/news/print_version/technology/story/18109.html?wnpg=all  
  
(Wired.com) [2.25.99] A 17-year-old Pennsylvania high school student has  
discovered a potentially dangerous security flaw in a line of server  
hardware manufactured for ISPs.  
  
Michael Righi of Pittsburgh said he discovered a flaw in the Cobalt RaQ  
servers that lets malicious users enter the system, find the system  
administrator's password, and gain access to sensitive information.  
  
Righi was able to obtain the root, or administrator, passwords to three  
Web sites by searching the sites for the history file through a Web  
browser. What's more, Righi easily found which sites run RaQ by using a  
simple search engine, thanks to another feature of the RaQ setup process.  
  
When RaQ installs itself, it generates a live Web page that reads "Welcome  
to Cobalt RaQ." By doing a search for that phrase, Righi found more than  
20 sites using the appliance.  
  
Cobalt Networks developed the RaQ as a low-cost, low-maintenance Web  
server for the ISP market.  
  
Vivek Mehra, vice president of product development at Cobalt, said the  
hole, which could give a hacker access to a history file documenting a  
user's activities, wasn't specific to their appliance, but to the Linux  
operating system. Righi disagreed and said RaQ's default settings are to  
blame.  
  
"The Cobalt RaQ's default settings create the personal and Web directories  
as one and the same, which allows a system administrator's common mistake  
of mistyping a password to be saved in the history file," he said. He was  
unable to find similar exposure on sites running the Linux OS that did not  
use the Cobalt RaQ.  
  
Mehra said one simple remedy for the problem is to disable the history  
file in Linux before connecting to the Internet. Mehra said that users  
should always disable the history file if sensitive information is housed  
on the RaQ appliance.   
  
Linux administrators enter commands in what's known as a command-line  
interface. The OS documents each command in a history file to prevent the  
user from having to retype the command if he or she wants to reissue it.  
  
That history file contains a record of every command. In some cases, the  
system administrator needs to type in the administrator password to  
perform sensitive commands, like backing up the system or adding users. A  
record of that password is saved in the history file.  
  
In most cases, the password will be encrypted, but Righi said that running  
the encryption through any cracker program will reveal the actual  
password. If a system administrator types the password too quickly or at  
the wrong time, the password could be saved as text without encryption,  
said Righi.  
  
Frezer Jones, a system administrator at Lisco, an ISP in Fairfield, Iowa,  
verified Righi's exploit after the student notified him that Lisco's  
system was at risk.  
  
But, said Jones, Cobalt hasn't told its customers about the security  
implications of a history file.  
  
"Users are always susceptible when they get a box, and they think it's  
secure, and they don't know much," Jones said. "I think Cobalt should be  
more responsive. They should know a little more and be able to advise the  
customers accordingly."  
  
"It's up to [individual companies] what level of security they want to run  
their systems on," Mehra said. "We can disable the feature so it doesn't  
allow the history file to be generated. People do not fully understand the  
implications of history files."  
  
-o-  
Subscribe: mail [email protected] with "subscribe isn".  
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]  
  
--------------------------------------------------------------------------------  
  
Date: Thu, 25 Feb 1999 23:02:17 +0100  
From: Patrick Oonk <[email protected]>  
To: [email protected]  
Subject: Cobalt root exploit  
  
http://www.cobaltnet.com/security.html  
  
(...)  
  
An article on a security exploit was released this  
morning from Wired Magazine and the San Jose Mercury  
News. Cobalt would like to clarify the nature of the  
claim, our response to it, and the solution.  
  
An individual obtained password information from history  
files on a Cobalt RaQ. With the RaQ, user directories are  
contained within the web tree. This is intentional since  
the purpose of our servers is for users to serve content  
on the web.  
  
The Details:  
  
The /etc/skel directory does not populate user  
directories with any files other than the index.html file  
and a private directory. However, if a user telnets into  
the box and runs various shell commands, the bash shell  
maintains a .bash_history file.  
  
The Problem:  
  
The .bash_history file is readable by the web server. If  
the admin user inadvertently types the root password at  
the command line (as a command rather than as an  
authentication response), the password will be recorded  
in the .bash_history file. This only affects people who  
telnet into the machine and make the mistake of typing  
their password in as a command.  
  
The Fix:  
  
Cobalt has released a security patch in the form of a  
package file that is installed through the web interface.  
The package file changes file permissions for all hidden  
files other than .htaccess in user home directories.  
Package files are available at:  
ftp://ftp.cobaltnet.com/pub/security or on our website  
at: ShellHistoryPatch-1.0.pkg.  
  
--  
: Patrick Oonk - http://patrick.mypage.org/ - [email protected] :  
: Pine Internet B.V. Consultancy, installatie en beheer :  
: Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ :  
: -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- :  
: "unix is voor types zonder sociaal leven..." - Patrick van Eijk :  
  
--------------------------------------------------------------------------------  
  
Date: Thu, 25 Feb 1999 17:27:20 -0500  
From: Jon Lewis <[email protected]>  
To: [email protected]  
Subject: Re: Cobalt root exploit  
  
On Thu, 25 Feb 1999, Patrick Oonk wrote:  
  
> An individual obtained password information from history  
> files on a Cobalt RaQ. With the RaQ, user directories are  
> contained within the web tree. This is intentional since  
> the purpose of our servers is for users to serve content  
> on the web.  
  
> and a private directory. However, if a user telnets into  
> the box and runs various shell commands, the bash shell  
> maintains a .bash_history file.  
  
I emailed Cobalt about this issue back in 12-98. I had a Qube on eval and  
noticed that the combination of user home directories being within the web  
server's document root dir and the default umask setting making user  
created files world readable meant that I could use a web browser to check  
for .bash_history files in each user's directory...mine of course had one.  
  
I was told by Will DeHaan <[email protected]>, that Cobalt really didn't  
intend to have users logging into the Qube for interactive shell sessions,  
but that they still planned to rearrange things such that each user home  
directory would not be in the web server's document root and would instead  
have the equivalent of a public_html dir. This change was to be  
integrated into future software releases.  
  
----don't waste your cpu, crack rc5...www.distributed.net team enzo---  
Jon Lewis *[email protected]*| Spammers will be winnuked or  
System Administrator | nestea'd...whatever it takes  
Atlantic Net | to get the job done.  
_________http://www.lewis.org/~jlewis/pgp for PGP public key__________  
  
--------------------------------------------------------------------------------  
  
Date: Fri, 26 Feb 1999 05:27:55 -0500  
From: John Fraizer <[email protected]>  
To: [email protected]  
Subject: Re: Cobalt root exploit  
  
I also notified Cobalt of this problem only in 10-98. While it didn't make  
it out the pipeline in the form of a patch, our Alpha RaQ2 does have this  
taken care of in the form of a modified directory structure.  
  
I have submitted multiple security and cosmetic patches to Cobalt. They  
have been very receptive to them and have implemented them into the release  
code for both the RaQ1 and RaQ2. All in all, they have been more receptive  
than any other vendor I have contacted.  
  
  
  
At 05:27 PM 2/25/99 -0500, Jon Lewis wrote:  
>I emailed Cobalt about this issue back in 12-98. I had a Qube on eval and  
>noticed that the combination of user home directories being within the web  
>server's document root dir and the default umask setting making user  
>created files world readable meant that I could use a web browser to check  
>for .bash_history files in each user's directory...mine of course had one.  
>  
>I was told by Will DeHaan <[email protected]>, that Cobalt really didn't  
>intend to have users logging into the Qube for interactive shell sessions,  
>but that they still planned to rearrange things such that each user home  
>directory would not be in the web server's document root and would instead  
>have the equivalent of a public_html dir. This change was to be  
>integrated into future software releases.  
  
------------------------------------------------------------------  
ML.ORG is gone. Check out http://www.EZ-IP.Net - It's *FREE*  
------------------------------------------------------------------  
Get your *FREE* Parked Domain account at http://www.EZ-Hosting.Com  
------------------------------------------------------------------  
John Fraizer | __ _ |  
The System Administrator | / / (_)__ __ ____ __ | The choice  
mailto:[email protected] | / /__/ / _ \/ // /\ \/ / | of a GNU  
http://www.EnterZone.Net/ | /____/_/_//_/\_,_/ /_/\_\ | Generation  
PGP Key fingerprint = 7DB6 1CA2 DAA6 43DA 3AAF 44CD 258C 3D7E B425 81A8  
  
--------------------------------------------------------------------------------  
  
Date: Fri, 26 Feb 1999 06:30:15 -0500  
From: John Fraizer <[email protected]>  
To: [email protected]  
Subject: Re: Cobalt root exploit  
  
The patch released by Cobalt appears to only remove the current  
.bash_history file. It does not change the name, location or permissions  
of the file.  
  
RaQ configuration:  
  
Cobalt OS Patch (2700R)Release 2.0  
Cobalt OS Release 3.0  
FrontPage98 Server Extensions Release 3.0  
Shell History Patch Release 1.0  
  
  
[root@raq admin]# pwd  
/home/sites/home/users/admin  
  
[root@raq admin]# ls -al  
total 58  
drwxrwxr-x 5 httpd home 1024 Feb 26 06:08 .  
drwxrwxr-x 3 httpd home 1024 Jan 12 18:31 ..  
-rw-rw-r-- 1 httpd home 5758 Jan 12 18:31 index.html  
drwx------ 2 httpd home 1024 Feb 13 02:01 mail  
  
[root@raq admin]# telnet localhost  
Trying 127.0.0.1...  
Connected to localhost.  
Escape character is '^]'.  
  
Cobalt Linux release 3.0 (Fargo)  
Kernel 2.0.34 on a mips  
  
login: admin  
Password:  
Last login: Fri Feb 26 06:07:42 from localhost  
  
[admin@raq admin]$ ls -al  
total 58  
drwxrwxr-x 5 httpd home 1024 Feb 26 06:08 .  
drwxrwxr-x 3 httpd home 1024 Jan 12 18:31 ..  
-rw-rw-r-- 1 httpd home 5758 Jan 12 18:31 index.html  
drwx------ 2 httpd home 1024 Feb 13 02:01 mail  
  
[admin@raq admin]# exit  
  
[root@raq admin]# ls -al  
total 59  
drwxrwxr-x 5 httpd home 1024 Feb 26 06:13 .  
drwxrwxr-x 3 httpd home 1024 Jan 12 18:31 ..  
-rw-r--r-- 1 admin users 12 Feb 26 06:13 .bash_history  
-rw-rw-r-- 1 httpd home 5758 Jan 12 18:31 index.html  
drwx------ 2 httpd home 1024 Feb 13 02:01 mail  
[root@raq admin]#  
  
  
The .bash_history file is still created even after the Shell History Patch  
Release 1.0 is applied to the RaQ and is still world readable.  
  
And of course, what post to BUGTRAQ would be complete without a fix?  
  
The Fix:  
  
Add the following lines to /etc/profile  
  
touch $HISTFILE  
chmod 600 $HISTFILE  
  
  
For the really paranoid, place the following line before the touch command:  
  
HISTFILE=~/.some.other.name  
  
  
  
------------------------------------------------------------------  
ML.ORG is gone. Check out http://www.EZ-IP.Net - It's *FREE*  
------------------------------------------------------------------  
Get your *FREE* Parked Domain account at http://www.EZ-Hosting.Com  
------------------------------------------------------------------  
John Fraizer | __ _ |  
The System Administrator | / / (_)__ __ ____ __ | The choice  
mailto:[email protected] | / /__/ / _ \/ // /\ \/ / | of a GNU  
http://www.EnterZone.Net/ | /____/_/_//_/\_,_/ /_/\_\ | Generation  
PGP Key fingerprint = 7DB6 1CA2 DAA6 43DA 3AAF 44CD 258C 3D7E B425 81A8  
  
--------------------------------------------------------------------------------  
  
Date: Fri, 26 Feb 1999 22:27:49 -0500  
From: Illuminatus Primus <[email protected]>  
To: [email protected]  
Subject: Re: Cobalt root exploit  
  
+----[ On Thu, Feb 25, at 05:15PM(-0500), xs wrote: ]--------------  
| The Fix:  
|  
| Cobalt has released a security patch in the form of a  
| package file that is installed through the web interface.  
| The package file changes file permissions for all hidden  
| files other than .htaccess in user home directories.  
| Package files are available at:  
| ftp://ftp.cobaltnet.com/pub/security or on our website  
| at: ShellHistoryPatch-1.0.pkg.  
+----[ End Quote ]---------------------------  
  
This doesn't sound like a very good permanent fix; dotfiles can spring  
into existence at any moment! You'd have to keep running this fix  
over and over to stop new files from being available over the web.  
  
What Cobalt could do to permanently stop dotfiles from getting out  
onto the net is to add the following to Apache's conf file:  
  
<FilesMatch "^\.">  
order allow,deny  
deny from all  
</FilesMatch>  
  
This would prevent any file beginning with a dot from being allowed  
out through the web.  
  
--------------------------------------------------------------------------------  
  
Date: Sat, 27 Feb 1999 11:13:05 +0100  
From: Joel Eriksson <[email protected]>  
To: [email protected]  
Subject: Re: Cobalt root exploit  
  
On Fri, 26 Feb 1999, John Fraizer wrote:  
  
> The .bash_history file is still created even after the Shell History Patch  
> Release 1.0 is applied to the RaQ and is still world readable.  
>  
> And of course, what post to BUGTRAQ would be complete without a fix?  
>  
> The Fix:  
>  
> Add the following lines to /etc/profile  
>  
> touch $HISTFILE  
> chmod 600 $HISTFILE  
>  
>  
> For the really paranoid, place the following line before the touch command:  
>  
> HISTFILE=~/.some.other.name  
  
Why not : ln -sf /dev/null $HISTFILE  
or simply: unset HISTFILE  
  
Who needs those historyfiles anyway? The only usage I can think of is  
to see if someone else has used your account, but then the intruder must  
have been _veeery_ lame, and if a lamers like that got in at all, you got  
much bigger problems to think of...  
  
> ------------------------------------------------------------------  
> ML.ORG is gone. Check out http://www.EZ-IP.Net - It's *FREE*  
> ------------------------------------------------------------------  
> Get your *FREE* Parked Domain account at http://www.EZ-Hosting.Com  
> ------------------------------------------------------------------  
> John Fraizer | __ _ |  
> The System Administrator | / / (_)__ __ ____ __ | The choice  
> mailto:[email protected] | / /__/ / _ \/ // /\ \/ / | of a GNU  
> http://www.EnterZone.Net/ | /____/_/_//_/\_,_/ /_/\_\ | Generation  
> PGP Key fingerprint = 7DB6 1CA2 DAA6 43DA 3AAF 44CD 258C 3D7E B425 81A8  
  
`