[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Extent RBS directory Transversal

Title: Extent RBS directory Transversal
Released by:
Date: 21st September 2000
Printable version: Click here 
Advisory Title: Extent RBS directory Transversal.



Release Date: 09/21/2000



Application: Extent RBS



Platform: Windows NT4

Windows 2000

RedHat Linux 6.x

Sun Solaris 2.6+



Version: 2.63. Possibly older versions as well. (have also tested 2.5 and found it vulnerable)



Severity: Any user can get any file on the server.



Author: Obscure^ [obscure@cybergoth.i-p.com]



Vendor Status: Vendor was first contacted and informed [Thursday, September 14, 2000 3:27 PM] and has confirmed of issueing a patch for WinNT and Linux. Will issue patch for Sun 21.9.2k.



Web: http://irc.m0ss.com/eos/advisories/extentrbs.htm

http://www.extent.com





Background.



http://www.extent.com/solutions/prod_rbsisp.html>



Extent RBS ISP is a full OSS package which combines RADIUS, user management, Web signup, billing, invoicing and other valuable features that let you grow your IP service provider business.





Problem.



This vulnerability was discovered by me.

Extent RBS allows users to register a new subscription via Credit Card through their web browser. The problem is that the web server does not check for directory transversal when reading image files. Thus any file available on the same partition (in WinNT or any file on the *NIX system) which Extent RBS has permissions to read, can be read by a malicious user. This includes retrieving credit card details, usernames and passwords and more, which are stored in "%HOMEDRIVE%\Program Files\\database\rbsserv.mdb".

The URL relative to this file would be:

http://localhost:8002/Newuser?Image=../../database/rbsserv.mdb





Typical Scenario.



The malicious user (attacker/hacker/whatever) would just connect to port 8002 of the Extent RBS ISP which allows anonymous access, and retrieve any file on the system like Credit Card Numbers, usernames and passwords which are stored in RBSserv.mdb, by passing the URL template included below. This assumes that NTFS permissions are left in their default state.

URL template:

http:// address>:8002/NewUser?image=



Note: I have only tested in WinNT version of Extent RBS.





Disclaimer:

The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility.





Feedback:

Please send suggestions, updates, and comments to:





Eye on Security

mail:obscure@cybergoth.i-p.com

http://irc.m0ss.com/eos

--

_________________________________________

Free email @ http://www.cybergoth.cjb.net







Powered by Outblaze






(C) 1999-2000 All rights reserved.