what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

linbit.txt

linbit.txt
Posted Mar 30, 2004
Authored by Daniel Fabian | Site sec-consult.com

SEC-CONSULT Security Advisory - Linbit Linbox is vulnerable to authentication circumvention on its administration portal, password disclosure for all existing users, and using the obtained passwords, any account can be logged into via SSH.

tags | advisory
SHA-256 | 64158a7cf03bea19c8dd9020b9f99b7e6bcf2fe97d86ac1d244377dc6d5c7978

linbit.txt

Change Mirror Download


============================================================
SEC-CONSULT Security Advisory - LINBIT LINBOX
============================================================

Vendor: LINBIT Information Technologies GmbH (http://www.linbit.com)
Product: LINBOX
Vendor status: vendor contacted (22.01.2004)
Patch status: Patch available at http://linbox.linbit.at/

Vulnerabilites:

- Authentication circumvention for the administration portal
- Password disclosure for all existing users
- System login through SSH


============
Introduction
============

The LINBOX offers a comprehensive IT solution (internet gateway including
firewall, file server, mail server, proxy server etc.) to companies of any
size with a key priority on security.

Services/Features included in the LINBOX

* Central user administration (no LINUX skills required)
* Compatibility with Windows workstations
* Internet access (ISDN, ADSL, cable or leased line)
* Upon clients request provided with/without proxy server
* Integrated firewall to protect your company network
* Sophisticated internet access control (who is allowed to access the
internet via the proxy server)
* File server for your internal company data
* Print server for a central printer
* Uniform user settings at every workstation (domain controller)
* Simple adding or removing of Windows workstations (name server and
DHCP server)
* Central mail server. Manage e-mail accounts and mailing lists (e.g.
office@..., sales@...)
* Web e-mail to be used via the Internet throughout the world (e.g.
e-mail service during holidays or business trips)
* VPN access for field service or home working (via PPTP protocol)
* Virus scan for all e-mails and files (optional)

=====================
Vulnerability Details
=====================

1) AUTHENTICATION CIRCUMVENTION
===============================

DESCRIPTION:

LINBOX has a webbased administration portal on port 8080 that is accessible
through the internet by default. Opening this page in a browser gives the
user the following options:

- Administration
- Webmail
- Personal Settings

Hitting the link "Administration", the web application requests username and
password. The authentication mechanisms seems to be provided by a AuthMySQL
3.1 Apache module.

However because of a configuration fault, it is possible for an attacker to
bypass the authentication by opening the page //admin/user.pl (note the double
slash at the beginning), which gets the attacker to a list of users. Once on
that page, an attacker could as well just add a user of it's own (with
administration priviledges) and log in comfortably at the front page.

EXAMPLE:

---*---
Http-Request:
http://demo.linbox.at//admin/user.pl

---*---

REMARKS:

As soon as the attacker has an administrativ account, he can:
- Create/delete/change usrs
- Create/delete/change VPN accounts
- Change the network configuration (IP, default GW, etc.)
- Create/delete/change Samba shares as well as their permissions
- Shut the system down
- Deactivate the virus scanner


2) PASSWORD DISCLOSURE FOR ALL EXISTING USERS
=============================================

DESCRIPTION:

As soon as the attacker as access to the users.pl page (as described in 1),
he can read all passwords of all existing users by simply hitting the edit
button for each user. This page contains the password in an HTML password
input box, which the attacker can read in cleartext by viewing the source
code of the HTML page.


EXAMPLE:

<tr><td class="ADMIN-LEFT">Password:</td><td class="ADMIN-RIGHT"
colspan="1"><input type="password" name="adm_Password" value="dieter" />
***-----------------------------------------------------------^^^^^^
</td></tr>
<tr><td class="ADMIN-LEFT">Passwortbestätigung:</td><td class="ADMIN-RIGHT"
colspan="1"><input type="password" name="adm_Passwortbestätigung"
value="dieter" /> </td></tr>
***----^^^^^^


3) SYSTEM LOGIN THROUGH SSH
===========================

DESCRIPTION:

As all user accounts on the administrative portal are also system accounts,
an attacker can use a ssh-shell (if available) to login to the system with
the passwords provided in 2).

===============
GENERAL REMARKS
===============

Above findings derive from an external (black box) security test.
we would like to apologize in advance for potential nonconformities and/or
known issues.

====================
Recommended Hotfixes
====================

Patch:
Available from http://linbox.linbit.at/



EOF Daniel FABIAN / @2004
d.fabian@sec-cosult.com


SEC CONSULT Vienna GmbH

Blindengasse 3
A-1080 Wien
Austria / EUROPE

Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office@sec-consult.com
http://www.sec-consult.com

***************************************************************************
***************************************************************************
***************************************************************************


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close