'Re: [Full-disclosure] AirOS remote root 0day'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] AirOS remote root 0day
From:       sd <sd () fucksheep ! org>
Date:       2011-12-25 1:45:39
Message-ID: CAE6fNr+TUktddjRz2Om0nwx724LOYk6BdgDW9EAkc+W=zx0+vA () mail ! gmail ! com
[Download RAW message or body]

The bug is lighttpd's. It's whitelist is applied to actual url (thus
allowing .cgi, .css, .gif etc, according to its whitelist).
However that pesky PATHINFO feature strips all trailing path
components in hopes of finding a valid path
(/admin.cgi/blah.(css|gif|js...)) becomes just /admin.cgi).

Actual trailing paths granting arbitrary CGI access:
airos.allow = (
	".ico",
	".gif",
	".png",
	".jpg",
	".js",
	".css",
	"jsl10n.cgi",
	"poll.cgi",
	"airview.jar.pack.gz",
	"airview_manager.jnlp",
	"airview.jnlp",
	"airview.uavr",
	"/login.cgi",
	"/ticket.cgi"
)


Note that this is a common bug (elaborate security company tract
pending :) and exploit evading cgi access restrictions based on url
rules.

Fixing it, surprisinly, is not easy - all filters provided by
airos.allow/deny are strncmp() applied to the end of original
(pre-pathinfo) uri and pretty much useless.
Just upgrade to fw 5.3.5 released few days ago by ubiquity.

Additional L7 rules anywhere upstream are embarassingly ineffective
(just use http url escaping to evade) and merely stops skynet from
spreading
Also, the shell worm spreading using this renames /admin.cgi to
/adm.cgi - for you guys having trouble actually exploing infected
systems :)

2011/12/23 Christopher Granger <chrisgrangerx@gmail.com>:
> Does anyone have additional information about this vulnerability?
>
> It looks like it can be exploited by requesting:
>
> http://[X.X.X.X]/admin.cgi/[any or no filename string].css
>
> Although http://gregsowell.com/?p=3428 states: "The exploit appears to be a
> flaw in the admin.cgi file(CORRECTION…IT IS ALL PAGES SO WE WILL BLOCK ALL
> CGI)."
>
> However, this last runs counter to what I've seen so far ...
>
> Thanks,
> -Chris
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic