linux, säkerhet

8364053 2002-04-28 13:29 +0200  /110 rader/ ppp-design <security@ppp-design.de>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-29  21:42  av Brevbäraren
Extern mottagare: bugtraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <22095>
Ärende: dnstools: authentication bypass vulnerability
------------------------------------------------------------
From: ppp-design <security@ppp-design.de>
To: bugtraq <bugtraq@securityfocus.com>
Message-ID: <3CCBDD37.3060608@ppp-design.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ppp-design found the following authentication bypass vulnerability in
dnstools:


Details
- -------
Product: dnstools
Affected Version: 2.0 beta 4 and maybe all versions before
Immune Version: 2.0 beta 5
OS affected: Linux only
Vendor-URL: http://www.dnstools.com
Vendor-Status: informed, new version avaiable
Security-Risk: very high
Remote-Exploit: Yes


Introduction
- ------------
DNSTools is a comercial solution for dns configuration ($0 for
personal use up to $800 for ISPs). This is what the vendor tells about
dnstools: "DNSTools is a DNS configuration and DNS administration
utility that eases the burden of network and system administrators by
presenting all of their DNS data in an easy-to-use web interface and
allowing them to modify that data quickly and easily. With a few
simple clicks, you can modify a host name, add a new mail record, add
a new DNS name server, delete an entire domain or add an alias or
second IP address to an existing host. These are just a few examples
of what DNSTools provides." Unfortunately the security concept is
broken by design and can be easily bypassed.


More details
- ------------
The software uses two variables to save the users authentication
status (normal user / administration). Unfortunately these variables
are not initialized, so you can easily spoof your status.


Proof-of-concept
- ----------------
Just add "user_logged_in=true" and if you want to have administration
privileges "user_dnstools_administrator=YES" to any url (just be sure
 you are not logged in, otherwise your submitted variable will be
overwritten with the real value).

Examples:
http://www.example.com/dnstools.php?section=hosts&user_logged_in=true
http://www.example.com/dnstools.php?section=security&user_logged_in=true
&user_dnstools_administrator=YES


Temporary-Fix
- -------------
Initialize both variables with false at the beginning of dnstools.php


Fix
- ---
Use at least version 2.0 beta 5.


Security-Risk
- -------------
A blackhat can easily manipulate DNS entries remotly without being
authorized in any way. This often is the first step of a hacking
scenario. Therefore we are rating the security risk to very high.


Vendor status
- -------------
The author reacted very fast and recommendable to our note. He needed
about 48 hours for a new version which fixes the vulnerability.


Disclaimer
- ----------
All information that can be found in this advisory is believed to be
true, but maybe it is not. ppp-design can not be held responsible for
the use or missuse of this information. Redistribution of this text is
only permitted if the text has not been altered and the original
author ppp-design (http://www.ppp-design.de) is mentioned.


This advisory can be found online:
http://www.ppp-design.de/advisories.php



- --
ppp-design
http://www.ppp-design.de
Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc
Fingerprint: 5B02 0AD7 A176 3A4F CE22  745D 0D78 7B60 B3B5 451A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org

iD8DBQE8y903DXh7YLO1RRoRAs4VAJ9HNyVi3Fz7U1eU9tk2efcrlZfcnACdEWCx
rnGV/vCQNPwo1fRFsynOy1w=
=ZPXl
-----END PGP SIGNATURE-----
(8364053) /ppp-design <security@ppp-design.de>/(Ombruten)