Title:
Lyris ListManager Multiple Flaws
Release Date:
December 8, 2005
Patch Date:
Unknown (v8.9b resolves most issues)
Reported Date:
June 21, 2005
Vendor:
Lyris
Systems Affected:
Lyris ListManager v5.0-8.8a (most flaws)
Summary:
The Lyris ListManager software is vulnerable to numerous SQL injection,
source code dislosure, and authentication bypass flaws. The ListManager software
runs on Linux, Solaris, and Windows and can be configured to use one of the
following database backends: PostgreSQL, Oracle, and MSSQL/MSDE. These flaws
can be used to gain complete access to the ListManager data and often the host
server itself.
Vendor Status:
The vendor is working on a patch for the remaining issues, the last update was
received December 14, 2005.
Exploit Availability:
A Metasploit Framework module has been developed for the Read Message Attachment SQL Injection flaw:
lyris_attachment_mssql.
No code is required to exploit the other flaws.
No code is required to exploit the other flaws.
Researcher(s):
H D Moore (hdm[at]metasploit.com)
Vulnerability Details:
The Lyris ListManager software provides HTTP, SMTP, and NNTP services for the Linux, Windows,
and Solaris platforms. The web interface uses an embedded version of the TCLHTTPd web server
and the administrative tools are web applications written in the TCL scripting language.
A number of input validation flaws have been discovered in the TCL scripts, many of which can
result in a complete compromise of the hosting system.
New Subscription Administrative Command Injection
The web interface for subscribing a new user to a mailing list (/subscribe/subscribe), accepts a list password parameter (pw). This password parameter is checked for spaces, but is otherwise not sanitized before being placed into a buffer. This buffer is inserted into the processing queue as a new, authenticated command message. It is possible to use %0A%0D sequences, in combination with a line wrap feature in the command processing engine, to execute arbitrary list administration commands. This flaw has not been fixed in the current version (v8.9b).
Read Message Attachment SQL Injection
It is possible to execute arbitrary queries against the backened database by requesting a URL in the following format: /read/attachment/1;DELETE+FROM+TABLENAME;--/3. Depending on the database type, it may be possible to gain remote access to the system through this flaw. This flaw has been fixed in the latest version (8.9b).
Multiple 'orderby' Parameter SQL Injection Flaws
It is possibly to supply a SQL "ORDER BY" column to almost every list of items displayed in the web interface. The code which processes this field checks for space and tab characters, but each of the supported databases allow other forms of whitespace, When using the MSSQL/MSDE backend, it is possible to access the xp_cmdshell stored procedure by using newline characters as whitespace and substituting spaces with ASCII 0xFF in the cmd.exe string (the command interpreter treats 0xFF as a space). There are many other ways to exploit this, depending on the database type. This flaw has been fixed in the latest version (8.9b).
MSDE Weak 'sa' Account Password
The MSDE version of the ListManager installer uses a static password of 'lminstall' for the 'sa' user account during the installation process. After the installer finishes, the password is permanently set to 'lyris' followed by a 1 to 5 digit number. This number appears to be the process ID of the installer. This password is trivial to find with a brute-force attack and can lead an immediate system compromise. This flaw has not been fixed in the current version (v8.9b).
TCLHTTPd Status Module Information Disclosure
Some versions of the ListManager software allow requests to the "status" module (/status/) included with TCLHTTPd. This module returns detailed information about the server configuration. This flaw has been fixed in the latest version (8.9b).
TCLHTTPd %00 TML Source Disclosure
The TCLHTTPd service included with the Lyris ListManager product uses '.tml' files to store server-side TCL code. It is possible to view the source of any TML script by appending a url-encoded NULL byte to the request (/read/.tml%00). The server may request authentication, but this can be bypassed by specifying a any username ending in the @ character in conjunction with a bogus password. This flaw has been fixed in the latest version (8.9b).
Error Message Information Disclosure
Older versions of the ListManager software, such as v8.5, place the entire CGI environment into a hidden variable ('env') when a non-existent page is requested. This environment contains the software version and the directory path to the ListManager installation. Newer versions, such as v8.8, no longer dump the environment on 404 responses, but they do provide detailed diagnostic information when an error occurrs in a TML script. Many of TML scripts can be accessed without authentication and dislose information such as the installation path, software version, and often times SQL queries and code blocks. An example URL that reproduces the problem is: /read/rss?forum=404. This flaw has not been fixed in the current version (v8.9b).
New Subscription Administrative Command Injection
The web interface for subscribing a new user to a mailing list (/subscribe/subscribe), accepts a list password parameter (pw). This password parameter is checked for spaces, but is otherwise not sanitized before being placed into a buffer. This buffer is inserted into the processing queue as a new, authenticated command message. It is possible to use %0A%0D sequences, in combination with a line wrap feature in the command processing engine, to execute arbitrary list administration commands. This flaw has not been fixed in the current version (v8.9b).
Read Message Attachment SQL Injection
It is possible to execute arbitrary queries against the backened database by requesting a URL in the following format: /read/attachment/1;DELETE+FROM+TABLENAME;--/3. Depending on the database type, it may be possible to gain remote access to the system through this flaw. This flaw has been fixed in the latest version (8.9b).
Multiple 'orderby' Parameter SQL Injection Flaws
It is possibly to supply a SQL "ORDER BY" column to almost every list of items displayed in the web interface. The code which processes this field checks for space and tab characters, but each of the supported databases allow other forms of whitespace, When using the MSSQL/MSDE backend, it is possible to access the xp_cmdshell stored procedure by using newline characters as whitespace and substituting spaces with ASCII 0xFF in the cmd.exe string (the command interpreter treats 0xFF as a space). There are many other ways to exploit this, depending on the database type. This flaw has been fixed in the latest version (8.9b).
MSDE Weak 'sa' Account Password
The MSDE version of the ListManager installer uses a static password of 'lminstall' for the 'sa' user account during the installation process. After the installer finishes, the password is permanently set to 'lyris' followed by a 1 to 5 digit number. This number appears to be the process ID of the installer. This password is trivial to find with a brute-force attack and can lead an immediate system compromise. This flaw has not been fixed in the current version (v8.9b).
TCLHTTPd Status Module Information Disclosure
Some versions of the ListManager software allow requests to the "status" module (/status/) included with TCLHTTPd. This module returns detailed information about the server configuration. This flaw has been fixed in the latest version (8.9b).
TCLHTTPd %00 TML Source Disclosure
The TCLHTTPd service included with the Lyris ListManager product uses '.tml' files to store server-side TCL code. It is possible to view the source of any TML script by appending a url-encoded NULL byte to the request (/read/.tml%00). The server may request authentication, but this can be bypassed by specifying a any username ending in the @ character in conjunction with a bogus password. This flaw has been fixed in the latest version (8.9b).
Error Message Information Disclosure
Older versions of the ListManager software, such as v8.5, place the entire CGI environment into a hidden variable ('env') when a non-existent page is requested. This environment contains the software version and the directory path to the ListManager installation. Newer versions, such as v8.8, no longer dump the environment on 404 responses, but they do provide detailed diagnostic information when an error occurrs in a TML script. Many of TML scripts can be accessed without authentication and dislose information such as the installation path, software version, and often times SQL queries and code blocks. An example URL that reproduces the problem is: /read/rss?forum=404. This flaw has not been fixed in the current version (v8.9b).
Notes:
Lyris was initially reluctant to respond to security issues.
| Last Update: | Dec 08 2005 |
| Doc Version: | 1.0 |
| References: |
OSVDB-21547 OSVDB-21548 OSVDB-21549 OSVDB-21550 OSVDB-21551 OSVDB-21552 OSVDB-21559 |