Date: Thu, 25 Feb 1999 07:59:30 -0700 (MST) From: mea culpa To: InfoSec News Subject: [ISN] Teenager Finds Web-server hole. Forwarded From: William Knowles http://www.wired.com/news/print_version/technology/story/18109.html?wnpg=all (Wired.com) [2.25.99] A 17-year-old Pennsylvania high school student has discovered a potentially dangerous security flaw in a line of server hardware manufactured for ISPs. Michael Righi of Pittsburgh said he discovered a flaw in the Cobalt RaQ servers that lets malicious users enter the system, find the system administrator's password, and gain access to sensitive information. Righi was able to obtain the root, or administrator, passwords to three Web sites by searching the sites for the history file through a Web browser. What's more, Righi easily found which sites run RaQ by using a simple search engine, thanks to another feature of the RaQ setup process. When RaQ installs itself, it generates a live Web page that reads "Welcome to Cobalt RaQ." By doing a search for that phrase, Righi found more than 20 sites using the appliance. Cobalt Networks developed the RaQ as a low-cost, low-maintenance Web server for the ISP market. Vivek Mehra, vice president of product development at Cobalt, said the hole, which could give a hacker access to a history file documenting a user's activities, wasn't specific to their appliance, but to the Linux operating system. Righi disagreed and said RaQ's default settings are to blame. "The Cobalt RaQ's default settings create the personal and Web directories as one and the same, which allows a system administrator's common mistake of mistyping a password to be saved in the history file," he said. He was unable to find similar exposure on sites running the Linux OS that did not use the Cobalt RaQ. Mehra said one simple remedy for the problem is to disable the history file in Linux before connecting to the Internet. Mehra said that users should always disable the history file if sensitive information is housed on the RaQ appliance. Linux administrators enter commands in what's known as a command-line interface. The OS documents each command in a history file to prevent the user from having to retype the command if he or she wants to reissue it. That history file contains a record of every command. In some cases, the system administrator needs to type in the administrator password to perform sensitive commands, like backing up the system or adding users. A record of that password is saved in the history file. In most cases, the password will be encrypted, but Righi said that running the encryption through any cracker program will reveal the actual password. If a system administrator types the password too quickly or at the wrong time, the password could be saved as text without encryption, said Righi. Frezer Jones, a system administrator at Lisco, an ISP in Fairfield, Iowa, verified Righi's exploit after the student notified him that Lisco's system was at risk. But, said Jones, Cobalt hasn't told its customers about the security implications of a history file. "Users are always susceptible when they get a box, and they think it's secure, and they don't know much," Jones said. "I think Cobalt should be more responsive. They should know a little more and be able to advise the customers accordingly." "It's up to [individual companies] what level of security they want to run their systems on," Mehra said. "We can disable the feature so it doesn't allow the history file to be generated. People do not fully understand the implications of history files." -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com] -------------------------------------------------------------------------------- Date: Thu, 25 Feb 1999 23:02:17 +0100 From: Patrick Oonk To: BUGTRAQ@netspace.org Subject: Cobalt root exploit http://www.cobaltnet.com/security.html (...) An article on a security exploit was released this morning from Wired Magazine and the San Jose Mercury News. Cobalt would like to clarify the nature of the claim, our response to it, and the solution. An individual obtained password information from history files on a Cobalt RaQ. With the RaQ, user directories are contained within the web tree. This is intentional since the purpose of our servers is for users to serve content on the web. The Details: The /etc/skel directory does not populate user directories with any files other than the index.html file and a private directory. However, if a user telnets into the box and runs various shell commands, the bash shell maintains a .bash_history file. The Problem: The .bash_history file is readable by the web server. If the admin user inadvertently types the root password at the command line (as a command rather than as an authentication response), the password will be recorded in the .bash_history file. This only affects people who telnet into the machine and make the mistake of typing their password in as a command. The Fix: Cobalt has released a security patch in the form of a package file that is installed through the web interface. The package file changes file permissions for all hidden files other than .htaccess in user home directories. Package files are available at: ftp://ftp.cobaltnet.com/pub/security or on our website at: ShellHistoryPatch-1.0.pkg. -- : Patrick Oonk - http://patrick.mypage.org/ - patrick@pine.nl : : Pine Internet B.V. Consultancy, installatie en beheer : : Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ : : -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- : : "unix is voor types zonder sociaal leven..." - Patrick van Eijk : -------------------------------------------------------------------------------- Date: Thu, 25 Feb 1999 17:27:20 -0500 From: Jon Lewis To: BUGTRAQ@netspace.org Subject: Re: Cobalt root exploit On Thu, 25 Feb 1999, Patrick Oonk wrote: > An individual obtained password information from history > files on a Cobalt RaQ. With the RaQ, user directories are > contained within the web tree. This is intentional since > the purpose of our servers is for users to serve content > on the web. > and a private directory. However, if a user telnets into > the box and runs various shell commands, the bash shell > maintains a .bash_history file. I emailed Cobalt about this issue back in 12-98. I had a Qube on eval and noticed that the combination of user home directories being within the web server's document root dir and the default umask setting making user created files world readable meant that I could use a web browser to check for .bash_history files in each user's directory...mine of course had one. I was told by Will DeHaan , that Cobalt really didn't intend to have users logging into the Qube for interactive shell sessions, but that they still planned to rearrange things such that each user home directory would not be in the web server's document root and would instead have the equivalent of a public_html dir. This change was to be integrated into future software releases. ----don't waste your cpu, crack rc5...www.distributed.net team enzo--- Jon Lewis *jlewis@lewis.org*| Spammers will be winnuked or System Administrator | nestea'd...whatever it takes Atlantic Net | to get the job done. _________http://www.lewis.org/~jlewis/pgp for PGP public key__________ -------------------------------------------------------------------------------- Date: Fri, 26 Feb 1999 05:27:55 -0500 From: John Fraizer To: BUGTRAQ@netspace.org Subject: Re: Cobalt root exploit I also notified Cobalt of this problem only in 10-98. While it didn't make it out the pipeline in the form of a patch, our Alpha RaQ2 does have this taken care of in the form of a modified directory structure. I have submitted multiple security and cosmetic patches to Cobalt. They have been very receptive to them and have implemented them into the release code for both the RaQ1 and RaQ2. All in all, they have been more receptive than any other vendor I have contacted. At 05:27 PM 2/25/99 -0500, Jon Lewis wrote: >I emailed Cobalt about this issue back in 12-98. I had a Qube on eval and >noticed that the combination of user home directories being within the web >server's document root dir and the default umask setting making user >created files world readable meant that I could use a web browser to check >for .bash_history files in each user's directory...mine of course had one. > >I was told by Will DeHaan , that Cobalt really didn't >intend to have users logging into the Qube for interactive shell sessions, >but that they still planned to rearrange things such that each user home >directory would not be in the web server's document root and would instead >have the equivalent of a public_html dir. This change was to be >integrated into future software releases. ------------------------------------------------------------------ ML.ORG is gone. Check out http://www.EZ-IP.Net - It's *FREE* ------------------------------------------------------------------ Get your *FREE* Parked Domain account at http://www.EZ-Hosting.Com ------------------------------------------------------------------ John Fraizer | __ _ | The System Administrator | / / (_)__ __ ____ __ | The choice mailto:John.Fraizer@EnterZone.Net | / /__/ / _ \/ // /\ \/ / | of a GNU http://www.EnterZone.Net/ | /____/_/_//_/\_,_/ /_/\_\ | Generation PGP Key fingerprint = 7DB6 1CA2 DAA6 43DA 3AAF 44CD 258C 3D7E B425 81A8 -------------------------------------------------------------------------------- Date: Fri, 26 Feb 1999 06:30:15 -0500 From: John Fraizer To: BUGTRAQ@netspace.org Subject: Re: Cobalt root exploit The patch released by Cobalt appears to only remove the current .bash_history file. It does not change the name, location or permissions of the file. RaQ configuration: Cobalt OS Patch (2700R)Release 2.0 Cobalt OS Release 3.0 FrontPage98 Server Extensions Release 3.0 Shell History Patch Release 1.0 [root@raq admin]# pwd /home/sites/home/users/admin [root@raq admin]# ls -al total 58 drwxrwxr-x 5 httpd home 1024 Feb 26 06:08 . drwxrwxr-x 3 httpd home 1024 Jan 12 18:31 .. -rw-rw-r-- 1 httpd home 5758 Jan 12 18:31 index.html drwx------ 2 httpd home 1024 Feb 13 02:01 mail [root@raq admin]# telnet localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Cobalt Linux release 3.0 (Fargo) Kernel 2.0.34 on a mips login: admin Password: Last login: Fri Feb 26 06:07:42 from localhost [admin@raq admin]$ ls -al total 58 drwxrwxr-x 5 httpd home 1024 Feb 26 06:08 . drwxrwxr-x 3 httpd home 1024 Jan 12 18:31 .. -rw-rw-r-- 1 httpd home 5758 Jan 12 18:31 index.html drwx------ 2 httpd home 1024 Feb 13 02:01 mail [admin@raq admin]# exit [root@raq admin]# ls -al total 59 drwxrwxr-x 5 httpd home 1024 Feb 26 06:13 . drwxrwxr-x 3 httpd home 1024 Jan 12 18:31 .. -rw-r--r-- 1 admin users 12 Feb 26 06:13 .bash_history -rw-rw-r-- 1 httpd home 5758 Jan 12 18:31 index.html drwx------ 2 httpd home 1024 Feb 13 02:01 mail [root@raq admin]# The .bash_history file is still created even after the Shell History Patch Release 1.0 is applied to the RaQ and is still world readable. And of course, what post to BUGTRAQ would be complete without a fix? The Fix: Add the following lines to /etc/profile touch $HISTFILE chmod 600 $HISTFILE For the really paranoid, place the following line before the touch command: HISTFILE=~/.some.other.name ------------------------------------------------------------------ ML.ORG is gone. Check out http://www.EZ-IP.Net - It's *FREE* ------------------------------------------------------------------ Get your *FREE* Parked Domain account at http://www.EZ-Hosting.Com ------------------------------------------------------------------ John Fraizer | __ _ | The System Administrator | / / (_)__ __ ____ __ | The choice mailto:John.Fraizer@EnterZone.Net | / /__/ / _ \/ // /\ \/ / | of a GNU http://www.EnterZone.Net/ | /____/_/_//_/\_,_/ /_/\_\ | Generation PGP Key fingerprint = 7DB6 1CA2 DAA6 43DA 3AAF 44CD 258C 3D7E B425 81A8 -------------------------------------------------------------------------------- Date: Fri, 26 Feb 1999 22:27:49 -0500 From: Illuminatus Primus To: BUGTRAQ@netspace.org Subject: Re: Cobalt root exploit +----[ On Thu, Feb 25, at 05:15PM(-0500), xs wrote: ]-------------- | The Fix: | | Cobalt has released a security patch in the form of a | package file that is installed through the web interface. | The package file changes file permissions for all hidden | files other than .htaccess in user home directories. | Package files are available at: | ftp://ftp.cobaltnet.com/pub/security or on our website | at: ShellHistoryPatch-1.0.pkg. +----[ End Quote ]--------------------------- This doesn't sound like a very good permanent fix; dotfiles can spring into existence at any moment! You'd have to keep running this fix over and over to stop new files from being available over the web. What Cobalt could do to permanently stop dotfiles from getting out onto the net is to add the following to Apache's conf file: order allow,deny deny from all This would prevent any file beginning with a dot from being allowed out through the web. -------------------------------------------------------------------------------- Date: Sat, 27 Feb 1999 11:13:05 +0100 From: Joel Eriksson To: BUGTRAQ@netspace.org Subject: Re: Cobalt root exploit On Fri, 26 Feb 1999, John Fraizer wrote: > The .bash_history file is still created even after the Shell History Patch > Release 1.0 is applied to the RaQ and is still world readable. > > And of course, what post to BUGTRAQ would be complete without a fix? > > The Fix: > > Add the following lines to /etc/profile > > touch $HISTFILE > chmod 600 $HISTFILE > > > For the really paranoid, place the following line before the touch command: > > HISTFILE=~/.some.other.name Why not : ln -sf /dev/null $HISTFILE or simply: unset HISTFILE Who needs those historyfiles anyway? The only usage I can think of is to see if someone else has used your account, but then the intruder must have been _veeery_ lame, and if a lamers like that got in at all, you got much bigger problems to think of... > ------------------------------------------------------------------ > ML.ORG is gone. Check out http://www.EZ-IP.Net - It's *FREE* > ------------------------------------------------------------------ > Get your *FREE* Parked Domain account at http://www.EZ-Hosting.Com > ------------------------------------------------------------------ > John Fraizer | __ _ | > The System Administrator | / / (_)__ __ ____ __ | The choice > mailto:John.Fraizer@EnterZone.Net | / /__/ / _ \/ // /\ \/ / | of a GNU > http://www.EnterZone.Net/ | /____/_/_//_/\_,_/ /_/\_\ | Generation > PGP Key fingerprint = 7DB6 1CA2 DAA6 43DA 3AAF 44CD 258C 3D7E B425 81A8