![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Thu, 21 Sep 2000 09:40:22 +0800
Reply-To: anon anon
Sender: Bugtraq List
Subject: Extent RBS directory Transversal.
To: BUGTRAQ@SECURITYFOCUS.COM
Advisory Title: Extent RBS directory Transversal.
Release Date: 09/21/2000
Application: Extent RBS
Platform: Windows NT4
Windows 2000
RedHat Linux 6.x
Sun Solaris 2.6+
Version: 2.63. Possibly older versions as well. (have also tested 2.5 and found
it vulnerable)
Severity: Any user can get any file on the server.
Author: Obscure^ [obscure@cybergoth.i-p.com]
Vendor Status: Vendor was first contacted and informed [Thursday, September 14,
2000 3:27 PM] and has confirmed of issueing a patch for WinNT and Linux. Will is
sue patch for Sun 21.9.2k.
Web:
http://irc.m0ss.com/eos/advisories/extentrbs.htm
http://www.extent.com
Background.
<From
http://www.extent.com/solutions/prod_rbsisp.shtml
>
Extent RBS ISP is a full OSS package which combines RADIUS, user management, Web
signup, billing, invoicing and other valuable features that let you grow your I
P service provider business.
Problem.
This vulnerability was discovered by me.
Extent RBS allows users to register a new subscription via Credit Card through t
heir web browser. The problem is that the web server does not check for director
y transversal when reading image files. Thus any file available on the same part
ition (in WinNT or any file on the *NIX system) which Extent RBS has permissions
to read, can be read by a malicious user. This includes retrieving credit card
details, usernames and passwords and more, which are stored in "%HOMEDRIVE%\Prog
ram Files\\database\rbsserv.mdb".
The URL relative to this file would be:
http://localhost:8002/Newuser?Image=../../database/rbsserv.mdb
Typical Scenario.
The malicious user (attacker/hacker/whatever) would just connect to port 8002 of
the Extent RBS ISP which allows anonymous access, and retrieve any file on the
system like Credit Card Numbers, usernames and passwords which are stored in RBS
serv.mdb, by passing the URL template included below. This assumes that NTFS per
missions are left in their default state.
URL template:
http://:8002/NewUser?image=
Note: I have only tested in WinNT version of Extent RBS.
Disclaimer:
The information within this document may change without notice. Use of this info
rmation constitutes acceptance for use in an AS IS condition. There are NO warra
nties with regard to this information. In no event shall the author be liable fo
r any consequences whatsoever arising out of or in connection with the use or sp
read of this information. Any use of this information lays within the user's res
ponsibility.
Feedback:
Please send suggestions, updates, and comments to:
Eye on Security
mail:obscure@cybergoth.i-p.com
http://irc.m0ss.com/eos