|
NetUP Multiple Vulnerabilities
|
|
Secunia Advisory:
|
SA9831
|
|
|
Release Date:
|
2003-09-24
|
|
Popularity:
|
5,337 views
|
|
|
Critical:
|
Highly critical
|
|
Impact:
|
Security Bypass
Manipulation of data
Privilege escalation
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Unpatched
|
|
| Software: | NetUP UTM 3.x
NetUP UTM 4.x
|
|
|
Secunia CVSS-2 Score:
|
Available in Secunia business solutions 
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities
|
|
| Advisory Content (Page 1 of 3) | [ 1 ] [ 2 ] [ 3 ] | |
|
Description:
Multiple vulnerabilities have been reported in NetUP, which can be exploited by malicious people to gain system access and manipulate user accounts.
1) The problem is that "admin" and "utm_stat" doesn't verify the "sid" parameter properly allowing malicious people to hi-jack sessions from other users through SQL injection. This may be done by injecting SQL, which always will return true. The malicious person will then gain access as the first current session.
Examples:
https://[server]/cgi-bin/utm/admin?cmd=full_view&sid=q%22%20OR%201=1%20OR%20%22q%22=%22q
https://[server]/cgi-bin/utm/utm_stat?cmd=user_report&sid=q%22%20OR%201=1%20OR%20%22q%22=%22q
2) Malicious users can alter all settings of their accounts by using SQL injection when changing language preferences. The problem is that the "lang" parameter isn't properly verified making it possible to add parameters to be updated. This could be exploited alter the balance of the user account.
Example:
https://[server]/cgi-bin/utm/utm_stat?cmd=change_lang&lang=ru%22,%20bill=10000,%20lang=%22ru&sid=sessionid
3) UTM fails to verify parameters, which are passed to executables such as "ipchains" or "ipfw". This allows injection of shell meta characters like ";", which can be exploited to execute arbitrary code on the system.
4) Users with access to table "dict" can alter the language but also configuration settings in "utm.cfg". The problem is that all configuration options and language settings are exported to global variables. This allows language settings to override configuration options because they are initialized last.
5) It is possible for anyone with access to execute code with the privileges of the httpd process (exploiting issue 3 or 4 and users with access to the web root) to escalate their privileges due to the sudo configuration.
Change Page:
[ 1 ] [ 2 ] [ 3 ]
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
