Advisory
Title: Extent RBS directory Transversal.
Release Date: 09/21/2000
Application: Extent RBS
Platform:
Windows NT4
Windows 2000
RedHat Linux 6.x
Sun Solaris 2.6+
Version: 2.63. Possibly older
versions as well.
Severity: Any user can get any
file on the server.
Author: Obscure^ [obscure@eyeonsecurity.org]
Vendor Status: Vendor was first
contacted and informed [Thursday, September 14,
2000 3:27 PM] and has issued a patch.
Web:
http://www.eyeonsecurity.org
http://www.extent.com
Background.
From http://www.extent.com/solutions/prod_rbsisp.shtml:
Extent RBS ISP is a full OSS package
which combines RADIUS, user management, Web signup,
billing, invoicing and other valuable features
that let you grow your IP service provider business.
Problem.
This vulnerability was discovered
by me.
Extent RBS allows users to register a new subscription
via Credit Card through their web browser. The
problem is that the web server does not check
for directory transversal when reading image files.
Thus any file available on the same partition
(in WinNT or any file on the *NIX system) which
Extent RBS has permissions to read, can be read
by a malicious user. This includes retrieving
credit card details, usernames and passwords and
more, which are stored in "%HOMEDRIVE%\Program
Files\<program directory>\database\rbsserv.mdb".
The URL relative to this file would be:
http://localhost:8002/Newuser?Image=../../database/rbsserv.mdb
Typical Scenario.
The malicious user (attacker/hacker/whatever)
would just connect to port 8002 of the Extent
RBS ISP which allows anonymous access, and retrieve
any file on the system like Credit Card Numbers,
usernames and passwords which are stored in RBSserv.mdb,
by passing the URL template included below. This
assumes that NTFS permissions are left in their
default state.
URL template:
http://[ip address]:8002/NewUser?image=[location
of file to retrieve relative to the webroot directory]
Note: I have only tested in WinNT
version of Extent RBS.
Disclaimer:
The information within this document
may change without notice. Use of
this information constitutes acceptance for use
in an AS IS
condition. There are NO warranties with regard
to this information.
In no event shall the author be liable for any
consequences whatsoever
arising out of or in connection with the use or
spread of this
information. Any use of this information lays
within the user's
responsibility.
Feedback:
Please send suggestions, updates,
and comments to:
Eye on Security
mail:obscure@eyeonsecurity.org
http://www.eyeonsecurity.org
|