Multiple Security Issues in Netup UTM

2003-09-22T00:00:00

Description

Name : Multiple Security Issues in Netup UTM Software Package : Netup UserTraffManager Vendor Homepage : http://www.netup.biz, http://www.netup.ru Vulnerable Versions: 3.0, 4.0 Platforms : Linux, FreeBSD Vulnerability Type : SQL injections, remote shell command execution Introduction ------- As it is postulated on vendor's website www.netup.biz: "NetUP UserTraffManager is a universal ISP billing system for Internet Service Providers of any size, from small offices to global companies". Actually, UTM is a traffic accounting suite, which consist of 1) scripts for collecting traffic statistics from different devices, and storing them in MySQL database. 2) web interface for administrators and end-users. ------- Issue 1: Session hijacking using SQL injection Web interface of UTM consist of 3 executables: aaa, admin and utm_stat. aaa handles authentication of user or administrator, and generates unique session id. After that admin or utm_stat identifies user by session id, which is passed as a parameter sid in HTTP GET string. It appears that session data is stored in MySQL, and sid parameter is checked with simple SELECT, and special characters in parameter sid are not escaped, so sessions can be easily hijacked with queries altering where-clause, for example sid='q" OR 1=1 OR "q"="q'. This will give an access to first currently open session. The resulting query will be: https://somehost/cgi-bin/utm/admin?cmd=full_view&sid=q%22%20OR%201=1%20OR%20%22q%22=%22q https://somehost/cgi-bin/utm/utm_stat?cmd=user_report&sid=q%22%20OR%201=1%20OR%20%22q%22=%22q The attacker can switch between sessions altering the SQL query, for example: sid=q" OR 1=1 AND uid!=10 OR "q"="q Once the attacker has found needed session he can stick to it, adding uid=X (where X is users ID) to the query. If no sessions are currently active a message "Access denied" is displayed, however nothing is written to UTM_logs table. Once the administrator's session is hijacked, attacker can do anything that this administrator can: alter users' settings, add users, erase logs, steal UTM registration key and else... ------- Issue 2: Altering user's parameters using SQL injection All user's information is stored in a single SQL row. Users can change their password and language via web interface given by /cgi-bin/utm/user_stat. Data from HTTP query passes to SQL UPDATE query not escaped. So, using SQL injection user can alter all his parameters, and amount of money on his account as well. Logged in user can alter his information, and in case of session hi-jacking, attacker can alter session owner's info. For example, setting lang to 'ru", bill=10000, lang="ru', will put 10000 rubles on user's money bill. And the example query will be: https://somehost/cgi-bin/utm/utm_stat?cmd=change_lang&lang=ru%22,%20bill=10000,%20lang=%22ru&sid=XXXXX (where XXXXX is valid sid, or an SQL injection described in issue 1). ------- Really all UTM's code suffers from SQL injections. Two most bad where already described above. So I will skip others, and will go on describing worse bugs. ------- Issue 3: Executing shell commands UTM allows its administrators to setup firewall rules. Administrator enters the parameters for ipchains (in case if Linux) or ipfw (FreeBSD) into webform, and they are stored in MySQL, and executed with help of sudo. A malicious administrator can add semicolon and any shell commands to the firewall rule, and this commands will be executed with uid of httpd process owner. However, altering firewall rules is disabled in UTM by default. In this case an attacker can use more complicated way to execute commands: The problem is that UTM configuration options from /netup/utm/utm.cfg are exported to global variables after parsing. This happens on each startup of aaa, admin or utm_stat. After this, dictionary data for corresponding language is selected from table dict. This data is also exported to global variables. Column "variable" becomes variable name, and column "value" its value. So, if one has access to table dict, he can override configuration options from /netup/utm/utm.cfg. Overriding option sudo_path allows an attacker to execute shell commands on server running UTM. Web interface /cgi-bin/utm/admin allows only to change column value of table dict. But, further examination shows that admin?cmd=dict_change, is subject to SQL injection similar to utm_stat?cmd=change_lang, described above. Passing parameter like value506='touch /tmp/hacked; /usr/local/bin/sudo", variable="sudo_path' to admin?cmd=dict_change will rewrite global variable sudo_path, and 'touch /tmp/hacked' will be executed with next call to sudo. The HTTP query itself is very big, because all rows in table dict are changed with one query (stupid!), so the query won't be shown here. ------- Issue 4: Gaining root access Once an attacker can execute shell commands with uid of httpd process owner (usually nobody), in most cases he can gain a root shell. The problem is that in all boxes running UTM sudoers file contains a line: nobody ALL= NOPASSWD: /bin/mv So moving from httpd uid to uid 0 is quite easy. (I don't really know reason for this, but it is even suggested to do it on vendor's website http://www.netup.ru/?fid=31) ------- Known workarounds: 1. Change database_login in utm.cfg to non-root value (default root). 2. Remove "nobody ALL= NOPASSWD: /bin/mv" from sudoers. 3. Disallow changing dictionary and adding firewall rules for all administrators. Set tables actions and dict read-only for UTM mysql account. 4. Deny access to /cgi-bin/utm from outer networks via .htaccess. 5. Deny access to /cgi-bin/utm/admin.pl from any hosts except of administrators' ones via .htaccess. 6. Deny POST method in .htaccess. Track access_log for SQL injections. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE

{"id": "SECURITYVULNS:DOC:5143", "vendorId": null, "type": "securityvulns", "bulletinFamily": "software", "title": "Multiple Security Issues in Netup UTM", "description": "Name : Multiple Security Issues in Netup UTM\r\nSoftware Package : Netup UserTraffManager\r\nVendor Homepage : http://www.netup.biz, http://www.netup.ru\r\nVulnerable Versions: 3.0, 4.0\r\nPlatforms : Linux, FreeBSD\r\nVulnerability Type : SQL injections, remote shell command execution\r\n\r\nIntroduction\r\n-------\r\n As it is postulated on vendor's website www.netup.biz: "NetUP UserTraffManager\r\n is a universal ISP billing system for Internet Service Providers of any size,\r\n from small offices to global companies".\r\n\r\n Actually, UTM is a traffic accounting suite, which consist of \r\n 1) scripts for collecting traffic statistics from different devices, and\r\n storing them in MySQL database.\r\n 2) web interface for administrators and end-users.\r\n\r\n-------\r\nIssue 1: Session hijacking using SQL injection\r\n\r\n Web interface of UTM consist of 3 executables: aaa, admin and utm_stat. aaa\r\nhandles authentication of user or administrator, and generates unique session\r\nid. After that admin or utm_stat identifies user by session id, which is\r\npassed as a parameter sid in HTTP GET string.\r\n It appears that session data is stored in MySQL, and sid parameter is checked\r\nwith simple SELECT, and special characters in parameter sid are not escaped,\r\nso sessions can be easily hijacked with queries altering where-clause,\r\nfor example sid='q" OR 1=1 OR "q"="q'. This will give an access to first\r\ncurrently open session. The resulting query will be:\r\n\r\nhttps://somehost/cgi-bin/utm/admin?cmd=full_view&sid=q%22%20OR%201=1%20OR%20%22q%22=%22q\r\nhttps://somehost/cgi-bin/utm/utm_stat?cmd=user_report&sid=q%22%20OR%201=1%20OR%20%22q%22=%22q\r\n\r\nThe attacker can switch between sessions altering the SQL query, for example:\r\nsid=q" OR 1=1 AND uid!=10 OR "q"="q\r\nOnce the attacker has found needed session he can stick to it, adding uid=X \r\n(where X is users ID) to the query.\r\n\r\nIf no sessions are currently active a message "Access denied" is displayed,\r\nhowever nothing is written to UTM_logs table.\r\n\r\nOnce the administrator's session is hijacked, attacker can do anything that\r\nthis administrator can: alter users' settings, add users, erase logs, steal\r\nUTM registration key and else...\r\n\r\n-------\r\nIssue 2: Altering user's parameters using SQL injection\r\n\r\n All user's information is stored in a single SQL row. Users can change their\r\npassword and language via web interface given by /cgi-bin/utm/user_stat.\r\nData from HTTP query passes to SQL UPDATE query not escaped. So, using SQL\r\ninjection user can alter all his parameters, and amount of money on his\r\naccount as well.\r\n Logged in user can alter his information, and in case of session hi-jacking,\r\nattacker can alter session owner's info.\r\n For example, setting lang to 'ru", bill=10000, lang="ru', will put 10000\r\nrubles on user's money bill. And the example query will be:\r\n\r\nhttps://somehost/cgi-bin/utm/utm_stat?cmd=change_lang&lang=ru%22,%20bill=10000,%20lang=%22ru&sid=XXXXX\r\n\r\n(where XXXXX is valid sid, or an SQL injection described in issue 1).\r\n\r\n-------\r\n\r\n Really all UTM's code suffers from SQL injections. Two most bad where already\r\ndescribed above. So I will skip others, and will go on describing worse bugs.\r\n\r\n-------\r\nIssue 3: Executing shell commands\r\n\r\n UTM allows its administrators to setup firewall rules. Administrator enters\r\nthe parameters for ipchains (in case if Linux) or ipfw (FreeBSD) into\r\nwebform, and they are stored in MySQL, and executed with help of sudo. A\r\nmalicious administrator can add semicolon and any shell commands to the\r\nfirewall rule, and this commands will be executed with uid of httpd process\r\nowner.\r\n However, altering firewall rules is disabled in UTM by default. In this case\r\nan attacker can use more complicated way to execute commands:\r\n The problem is that UTM configuration options from /netup/utm/utm.cfg are\r\nexported to global variables after parsing. This happens on each startup of\r\naaa, admin or utm_stat. After this, dictionary data for corresponding language\r\nis selected from table dict. This data is also exported to global variables.\r\nColumn "variable" becomes variable name, and column "value" its value. So, if\r\none has access to table dict, he can override configuration options from\r\n/netup/utm/utm.cfg. Overriding option sudo_path allows an attacker to\r\nexecute shell commands on server running UTM.\r\n Web interface /cgi-bin/utm/admin allows only to change column value of table\r\ndict. But, further examination shows that admin?cmd=dict_change, is subject\r\nto SQL injection similar to utm_stat?cmd=change_lang, described above.\r\nPassing parameter like\r\n\r\nvalue506='touch /tmp/hacked; /usr/local/bin/sudo", variable="sudo_path'\r\n\r\nto admin?cmd=dict_change will rewrite global variable sudo_path, and\r\n'touch /tmp/hacked' will be executed with next call to sudo. The HTTP query\r\nitself is very big, because all rows in table dict are changed with one\r\nquery (stupid!), so the query won't be shown here.\r\n\r\n-------\r\nIssue 4: Gaining root access\r\n\r\n Once an attacker can execute shell commands with uid of httpd process\r\nowner (usually nobody), in most cases he can gain a root shell. The problem\r\nis that in all boxes running UTM sudoers file contains a line:\r\n\r\nnobody ALL= NOPASSWD: /bin/mv\r\n\r\nSo moving from httpd uid to uid 0 is quite easy.\r\n\r\n(I don't really know reason for this, but it is even suggested to do it\r\non vendor's website http://www.netup.ru/?fid=31)\r\n\r\n-------\r\nKnown workarounds:\r\n\r\n1. Change database_login in utm.cfg to non-root value (default root).\r\n2. Remove "nobody ALL= NOPASSWD: /bin/mv" from sudoers.\r\n3. Disallow changing dictionary and adding firewall rules for all\r\n administrators. Set tables actions and dict read-only for\r\n UTM mysql account.\r\n4. Deny access to /cgi-bin/utm from outer networks via .htaccess.\r\n5. Deny access to /cgi-bin/utm/admin.pl from any hosts except of\r\n administrators' ones via .htaccess.\r\n6. Deny POST method in .htaccess. Track access_log for SQL injections.\r\n\r\n-- \r\nTotus tuus, Glebius.\r\nGLEBIUS-RIPN GLEB-RIPE", "published": "2003-09-22T00:00:00", "modified": "2003-09-22T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:5143", "reporter": "Securityvulns", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-08-31T11:10:08", "viewCount": 39, "enchantments": {"score": {"value": 0.8, "vector": "NONE"}, "dependencies": {"references": []}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:3131"]}]}, "exploitation": null, "affected_software": {"major_version": []}, "vulnersScore": 0.8}, "_state": {"dependencies": 1678960192, "score": 1684015796, "affected_software_major_version": 0, "epss": 1679308852}, "_internal": {"score_hash": "c1594bf4aa648aa418b5b82617ba6f24"}, "sourceData": "", "affectedSoftware": [], "appercut": {}, "exploitpack": {}, "hackapp": {}, "toolHref": "", "w3af": {}}