-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 

                                Vapid Labs
                             Larry W. Cashdollar
          Xitami Webserver clear text password storage vulnerability.

Date Published: 11/23/2001

Advisory ID: 11232001-02

Title: Xitami Admin Password vulnerability from imatrix.com.

Class: Design error

Remotely Exploitable: no

Locally Exploitable: yes

Vulnerability Description:

The webserver administrator password is stored clear-text in a world readable file. A local user can use the webserver admin password to gain control of a (default) root owned process. The server can then be reconfigured by the malicious user (locally unless configured to allow remote administration) to read sensitive system file and execute commands as root.

Vulnerable Packages/Systems: Xitami Webserver 2.4d9, 2.5b5 beta

I tested using the source packages suni24d9.tgz, suni25b5.tgz obtained from xitami.com on a RedHat 6.2 i386 system.

Solution/Vendor Information/Workaround:

The vendor has been aware of this problem for a while, the time stamp on my source file was June 2001.

http://www.imatix.com/html/xitami/index13.htm#m_7

Previous vulnerabilities:

http://www.securityfocus.com/bid/3511
http://www.securityfocus.com/bid/2622

Vendor notified on: 11/23/2001

Credits: Larry W. Cashdollar Vapid Labs.

http://vapid.dhs.org

Technical Description - Exploit/Concept Code:

During installation the administrator is asked to enter an account and username password used to access the web administrator function. By default administration of the webserver is only allowed from localhost. This information is stored in a file called default.aut

[lwcash@mathom xitami]$ ls -l defaults.aut - -rw-r--r-- 1 root root 107 Nov 23 10:56 defaults.aut

If the server is configured by default (just hitting enter when asked to enable remote web administration) then a local user can use the admin password stored in the above file to reconfigure the webserver and among other things change the cgi-bin directory to /tmp/cgi-bin. By default the server runs as root and does not drop privledges.

I did the following.

echo "#!/bin/sh" > /tmp/cgi-bin/test.cgi echo "chmod 666 /etc/passwd" >> /tmp/cgi-bin/test.cgi

The following URL will execute our cgi as root: http://localhost/tmp/cgi-bin/test.sh

If the server has been configured to allow remote administration, then the above url can be accessed remotely.

Recommendations:

Configuration files that store sensitive information should have very restrictive file permissions. Passwords should never be stored in clear-text, they should be stored at least as a one way hash.

I suspect by the wording used during installation, that many administrators might enable remote web administration since it seems to be almost suggested by the installation script. You might want to change the wording around to discourage it.

I suspect changing the permissions of default.aut to read only for root would help a little, but did not test it.

DISCLAIMER:

The contents of this advisory are copyright (c) 2001 Larry W. Cashdollar and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8Ap7IOHpgAgvDwBURAiEEAKC9nx/90/SYRagxRmEOzX++21OS7gCglMIv E32weSt0xkmFQcLbtF4Sqh0=
=mNbv
-----END PGP SIGNATURE-----