Title: Xitami Webserver clear text password storage Vulnerability
Author: Larry W. Cashdollar, @_larry0
Download Site: http://www.imatix.com/
Vendor Notified: 2001-11-23
Vendor Contact: http://en.wikipedia.org/wiki/Xitami
Description: Xitami is a Web and FTP server, originally developed by iMatix Corporation as a free, open-source product from 1996 to 2000. It ran as a single process with a small footprint. It was not as fast as the fastest servers but scaled well. It supported several web application protocols and was very portable. It also had a web interface to configure the web/FTP server.
The webserver administrator password is stored clear-text in a world readable file. A local user can use the webserver admin password to gain control of a (default) root owned process. The server can then be reconfigured by the malicious user (locally unless configured to allow remote administration) to read sensitive system file and execute commands as root.
Vulnerable Packages/Systems: Xitami Webserver 2.4d9, 2.5b5 beta
I tested using the source packages suni24d9.tgz, suni25b5.tgz obtained from xitami.com on a RedHat 6.2 i386 system.
During installation the administrator is asked to enter an account and username password used to access the web administrator function. By default administration of the webserver is only allowed from localhost. This information is stored in a file called default.aut
[lwcash@mathom xitami]$ ls -l defaults.aut - -rw-r--r-- 1 root root 107 Nov 23 10:56 defaults.aut
If the server is configured by default (just hitting enter when asked to enable remote web administration) then a local user can use the admin password stored in the above file to reconfigure the webserver and among other things change the cgi-bin directory to /tmp/cgi-bin. By default the server runs as root and does not drop privledges.
I did the following.
echo "#!/bin/sh" > /tmp/cgi-bin/test.cgi echo "chmod 666 /etc/passwd" >> /tmp/cgi-bin/test.cgi
The following URL will execute our cgi as root: http://localhost/tmp/cgi-bin/test.sh
If the server has been configured to allow remote administration, then the above url can be accessed remotely.
Configuration files that store sensitive information should have very restrictive file permissions. Passwords should never be stored in clear-text, they should be stored at least as a one way hash.
I suspect by the wording used during installation, that many administrators might enable remote web administration since it seems to be almost suggested by the installation script. You might want to change the wording around to discourage it.
I suspect changing the permissions of default.aut to read only for root would help a little, but did not test it.