|
NetUP Multiple Vulnerabilities
|
|
Secunia Advisory:
|
SA9831
|
|
|
Release Date:
|
2003-09-24
|
|
Popularity:
|
4,812 views
|
|
|
Critical:
|
Highly critical
|
|
Impact:
|
Security Bypass
Manipulation of data
Privilege escalation
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Unpatched
|
|
| Software: | NetUP UTM 3.x
NetUP UTM 4.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
Description:
Multiple vulnerabilities have been reported in NetUP, which can be exploited by malicious people to gain system access and manipulate user accounts.
1) The problem is that "admin" and "utm_stat" doesn't verify the "sid" parameter properly allowing malicious people to hi-jack sessions from other users through SQL injection. This may be done by injecting SQL, which always will return true. The malicious person will then gain access as the first current session.
Examples:
https://[server]/cgi-bin/utm/admin?cmd=full_view&sid=q%22%20OR%201=1%20OR%20%22q%22=%22q
https://[server]/cgi-bin/utm/utm_stat?cmd=user_report&sid=q%22%20OR%201=1%20OR%20%22q%22=%22q
2) Malicious users can alter all settings of their accounts by using SQL injection when changing language preferences. The problem is that the "lang" parameter isn't properly verified making it possible to add parameters to be updated. This could be exploited alter the balance of the user account.
Example:
https://[server]/cgi-bin/utm/utm_stat?cmd=change_lang&lang=ru%22,%20bill=10000,%20lang=%22ru&sid=sessionid
3) UTM fails to verify parameters, which are passed to executables such as "ipchains" or "ipfw". This allows injection of shell meta characters like ";", which can be exploited to execute arbitrary code on the system.
4) Users with access to table "dict" can alter the language but also configuration settings in "utm.cfg". The problem is that all configuration options and language settings are exported to global variables. This allows language settings to override configuration options because they are initialized last.
5) It is possible for anyone with access to execute code with the privileges of the httpd process (exploiting issue 3 or 4 and users with access to the web root) to escalate their privileges due to the sudo configuration.
Solution:
Restrict access allowing only trusted users to connect to administrative NetUP services.
Restrict access allowing only trusted users to place executable content in the web root.
Log all access to the user interface to identify if anybody attempts to manipulate their account. This includes logging of POST requests.
Provided and/or discovered by:
Gleb Smirnoff
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
