[12507] in bugtraq
Re: BigIP - bigconf.cgi holes
daemon@ATHENA.MIT.EDU (Guy Cohen)
Wed Nov 10 12:30:31 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991110113009.A13654@crypto.org.il>
Date: Wed, 10 Nov 1999 11:30:09 +0200
Reply-To: Guy Cohen <guy@CRYPTO.ORG.IL>
From: Guy Cohen <guy@CRYPTO.ORG.IL>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <111627409F79D2119FB100A0C9EEDC3ED735F4@f5-exchange.win.net>;
from Rob Gilde on Tue, Nov 09, 1999 at 11:30:55AM -0800
Hello again,
First of all i mast apologiz for the corrupt date of my last post.
now:
Rob Gilde wrote:
.|
.| Guy is discussing an issue that affects older versions of BIG/ip.
.| As he points out, the risk is from internal users. In older versions
.| of BIG/ip, there is effectively only one user and that user has root
.| privileges. That user could execute commands as root through a shell
.| escape in our web-based user interface.
.|
.| As of Version 2.1, this is no longer possible. The current version
.| of BIG/ip is 2.1.2. The software update is available for free over
.| the net to all customers with support contracts.
.|
unfortunately This effects version 2.1.2 too.
I have added (using the html interface) user with READ-ONLY access, logged
in as this user and by executing
'bigconf.cgi?command=view_textfile&file=/etc/master.passwd&filters=;' I was
able to see the the encrypted passwords in /etc/master.passwd witch is for
root eyes only.
--
Guy Cohen.
