Openfiler v2.x multiple vulnerabilities

Openfiler v2.x allows authenticated remote attackers to gain root access.

Software

Software Link: http://www.openfiler.com/

Vulnerable Versions: 2.x (Tested: 2.3, 2.99.1, 2.99.2)

Vendor Notification:

# 2012-09-04 # submitted bug 1251

# 2012-09-06 # advisory released

# 0x00 # Arbitrary Command Execution # Authenticated

It is possible to execute arbitrary commands remotely as the 'openfiler' user by injecting commands into the 'device' parameter of '/opt/openfiler/var/www/htdocs/admin/system.html'

The 'openfiler' user is part of the 'wheel' group and can 'sudo /bin/bash' without providing a password.

The 'system.html' file uses user controlled data from the 'device' parameter to create a new 'NetworkCard' object. The class constructor in 'network.inc' calls exec() with the supplied data.

The following proof of concept is available:

# 0x01 # Information Disclosure # Unauthenticated

The following proof of concept is available:

# 0x02 # Credential Disclosure # Authenticated

The 'usercookie' and 'passcookie' cookies contain the username and password, respectively, in plain text. Furthermore, these cookies are not protected with the 'HttpOnly' flag.

# 0x03 # Cross-Site Request Forgery # Authenticated

The following proof of concept is available:

# 0x04 # Reflected Cross-Site Scripting # Authenticated

The following proof of concept is available:

Reference

# OWASP: Information Leakage

# OWASP: Code Injection

# OWASP: Cross-Site Scripting (XSS)

# OWASP: Cross-Site Request Forgery (CSRF)

Appendix

[TXT] Openfiler v2.x multiple vulnerabilities