Openfiler v2.x multiple vulnerabilities
Openfiler v2.x allows authenticated remote attackers to gain root access.
Software
Software Link: http://www.openfiler.com/
Vulnerable Versions: 2.x (Tested: 2.3, 2.99.1, 2.99.2)
Vendor Notification:
# 2012-09-04 # submitted bug 1251
# 2012-09-06 # advisory released
# 0x00 # Arbitrary Command Execution # Authenticated
It is possible to execute arbitrary commands remotely as the 'openfiler' user by injecting commands into the 'device' parameter of '/opt/openfiler/var/www/htdocs/admin/system.html'
The 'openfiler' user is part of the 'wheel' group and can 'sudo /bin/bash' without providing a password.
The 'system.html' file uses user controlled data from the 'device' parameter to create a new 'NetworkCard' object. The class constructor in 'network.inc' calls exec() with the supplied data.
The following proof of concept is available:
# 0x01 # Information Disclosure # Unauthenticated
The following proof of concept is available:
# 0x02 # Credential Disclosure # Authenticated
The 'usercookie' and 'passcookie' cookies contain the username and password, respectively, in plain text. Furthermore, these cookies are not protected with the 'HttpOnly' flag.
# 0x03 # Cross-Site Request Forgery # Authenticated
The following proof of concept is available:
# 0x04 # Reflected Cross-Site Scripting # Authenticated
The following proof of concept is available: