ContentKeeper Authentication Bypass, Remote Code Execution & Privilege Escalation
Release Date:
03-Apr-2009
Software:
ContentKeeper Technologies - ContentKeeper Web
http://www.contentkeeper.com/
"ContentKeeper is an industry leading Internet content filter that allows
organisations to monitor, manage, control & secure staff access to
Internet resources."
Versions affected:
ContentKeeper 125.09 and below.
Vulnerability discovered:
Remote command execution and privilege escalation vulnerabilities.
Vulnerability impact:
High - Unauthenticated users with access to the management IP address
of the device may execute commands remotely as the apache user.
Furthermore, a privilege escalation vulnerability is present allowing
for unauthenticated remote root compromise.
Vulnerability information
The appliance is administered by use of a web browser HTML based front
end. The .htaccess file prohibits unauthenticated access to known HTML management
pages, however other binaries, such as mimencode, are exposed.
By sending a HTTP POST request, it is possible to write arbitrary data
to a default file which has world read-write-execute permissions.
It is then possible to send a HTTP GET request to the written file, to execute
arbitrary commands remotely. It is also possible to use mimencode to conduct
directory traversal style attacks, e.g. obtaining a mime encoded copy of
'/etc/passwd'.
In addition, the setuid root benetool available to the apache user contains an
unsafe call to 'ps' and others, allowing for PATH manipulation for root escalation
A Metasploit Framework Module is available in the trunk.
Solution:
Upgrade to 125.10 or above.
Credit:
Patrick Webster
Disclosure timeline:
10-Apr-2008 - Discovered during audit.
18-Jul-2008 - Vendor notified.
18-Jul-2008 - Vendor response.
25-Feb-2009 - Vendor confirmed patched version.
03-Apr-2009 - Public disclosure.
03-Apr-2009
Software:
ContentKeeper Technologies - ContentKeeper Web
http://www.contentkeeper.com/
"ContentKeeper is an industry leading Internet content filter that allows
organisations to monitor, manage, control & secure staff access to
Internet resources."
Versions affected:
ContentKeeper 125.09 and below.
Vulnerability discovered:
Remote command execution and privilege escalation vulnerabilities.
Vulnerability impact:
High - Unauthenticated users with access to the management IP address
of the device may execute commands remotely as the apache user.
Furthermore, a privilege escalation vulnerability is present allowing
for unauthenticated remote root compromise.
Vulnerability information
The appliance is administered by use of a web browser HTML based front
end. The .htaccess file prohibits unauthenticated access to known HTML management
pages, however other binaries, such as mimencode, are exposed.
By sending a HTTP POST request, it is possible to write arbitrary data
to a default file which has world read-write-execute permissions.
It is then possible to send a HTTP GET request to the written file, to execute
arbitrary commands remotely. It is also possible to use mimencode to conduct
directory traversal style attacks, e.g. obtaining a mime encoded copy of
'/etc/passwd'.
In addition, the setuid root benetool available to the apache user contains an
unsafe call to 'ps' and others, allowing for PATH manipulation for root escalation
A Metasploit Framework Module is available in the trunk.
Solution:
Upgrade to 125.10 or above.
Credit:
Patrick Webster
Disclosure timeline:
10-Apr-2008 - Discovered during audit.
18-Jul-2008 - Vendor notified.
18-Jul-2008 - Vendor response.
25-Feb-2009 - Vendor confirmed patched version.
03-Apr-2009 - Public disclosure.
