ALCASAR index.php Crafted HTTP host Header Vulnerability

2014-09-16T00:00:00
ID SAINT:93D7DBF0F40BB52472F18AE007745146
Type saint
Reporter SAINT Corporation
Modified 2014-09-16T00:00:00

Description

Added: 09/16/2014
BID: 69662
OSVDB: 111026

Background

ALCASAR is a free Network Access Controller that allows network managers to restrict Internet service access to authenticated users. ALCASAR allows control and logging of all network activity by users and/or defined user groups.

Problem

ALCASAR 2.8 and earlier are vulnerable to remote code execution by injecting the **exec()** function into the HTTP host header to gain access as the Apache user. By also exploiting the Apache user's sudoer capability with **openssl**, a remote attacker could leverage the origial vulnerability to gain root privileges.

Resolution

ALCASAR 2.8.1 purportedly fixes the host header vulnerability.

References

<http://seclists.org/fulldisclosure/2014/Sep/26>

Limitations

Exploit works on ALCASAR 2.8.

The **MIME::Base64** module is required on the SAINTexploit host.

Exploit only results in Apache permissions, not root permissions.