-----BEGIN PGP SIGNED MESSAGE-----

             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

           Backdoor Password in Red Hat Linux Virtual Server Package

April 27, 2000 15:00 GMT                                          Number K-035
______________________________________________________________________________
PROBLEM:       A backdoor password exists in Piranha that may allow remote 
               attackers to execute commands on the server. Piranha could be 
               unknowingly installed, for example, when the Red Hat user 
               selects the "install all" option. The Red Hat user need not 
               actually use Piranha for the vulnerability to be exploited. 
PLATFORM:      The vulnerability is present if version 0.4.12 of piranha-gui 
               is installed. The current distribution of Red Hat Linux 6.2
               is vulnerable.  Earlier versions of the Red Hat distribution
               do not contain this vulnerability.
DAMAGE:        An attacker could compromise the web server as well as deface 
               and destroy the web site. 
SOLUTION:      Install the updated packages to remove the backdoor, and set 
               the server administrator password. 
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. The server administrator account name and 
ASSESSMENT:    password have appeared in public forums. 
______________________________________________________________________________

[ Start Red Hat Advisory ]

Red Hat, Inc. Security Advisory 
Synopsis: Piranha web GUI exposure 
Advisory ID: RHSA-2000:014-16 
Issue date: 2000-04-18 
Updated on: 2000-04-26 
Product: Red Hat Linux 
Keywords: piranha 
Cross references: php 

1. Topic: 

The GUI portion of Piranha may allow any remote attacker to execute 
commands on the server. This may allow a remote attacker to launch 
additional exploits against a web site from inside the web server. 
This is an updated release that disables Piranha's web GUI interface 
unless the site administrator enables it explicitly. 

2. Relevant releases/architectures: 

Red Hat Linux 6.2 - i386 alpha sparc 

3. Problem description: 

When Piranha is installed, it generates a 'secure' web interface ID 
using the HTML .htaccess method. The information for the account is 
placed in /home/httpd/html/piranha/secure/passwords which was supposed 
to be released with a blank password. Unfortunately, the password that 
is actually on the CD is 'Q'. 

The original intent was that, when the administrator installed Piranha 
rpms onto their box, that they would change the default blank password 
to a password of their own choosing. 

This is not a hidden account. Its only use is to protect the web pages 
from unauthorized access. 

The security problem arises from the 
http://localhost/piranha/secure/passwd.php3 file. It is possible to 
execute commands by entering 'blah;some-command' into the password 
fields. Everything after the semicolon is executed with the same 
privilege as the webserver. 

Because of this, it is possible to compromise the webserver or do 
serious damage to files on the site that are owned by the user 
'nobody' or to export a shell using xterm. 

Updated piranha packages released as version 0.14.3-1 fixed the 
security vulnerability while still require for the default behavior 
of requiring the web administrator to reset the password before making 
the web site public. 

Because of the security concerns from the community and in order to 
protect innocent administrators that might not be aware of the need to 
change the password for Piranha's interface before going live on the 
Internet, Red Hat is releasing a new set of packages that disable the 
piranha web interface by default. The site administrator will have to 
enable the service from the command line by resetting the password as 
detailed on the main page of the piranha utility. 

The new packages that include these changes are known as version 
piranha-0.4.14-1. 

Users of Red Hat Linux 6.2 are strongly encouraged to upgrade to the 
new packages if they are actively using piranha on their system 
(upgrade instructions follow) or to remove the piranha-gui package 
altogether by issuing the following command: 

rpm -e piranha-gui 

4. Solution: 

For each RPM for your particular architecture, run: 

rpm -Fvh [filename] 

where filename is the name of the RPM. 

When you install the update for the piranha-gui, please take a 
moment to review the instructions presented on the following URL 
(http://localhost/piranha). This should guide you through the process 
of installing a password for use with the GUI. 

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 

N/A 

6. Obsoleted by: 

N/A 

7. Conflicts with: 

N/A 

8. RPMs required: 

Red Hat Linux 6.2: 

intel: 

ftp://updates.redhat.com/6.2/i386/piranha-0.4.14-1.i386.rpm 
ftp://updates.redhat.com/6.2/i386/piranha-docs-0.4.14-1.i386.rpm 
ftp://updates.redhat.com/6.2/i386/piranha-gui-0.4.14-1.i386.rpm 

alpha: 

ftp://updates.redhat.com/6.2/alpha/piranha-0.4.14-1.alpha.rpm 
ftp://updates.redhat.com/6.2/alpha/piranha-docs-0.4.14-1.alpha.rpm 
ftp://updates.redhat.com/6.2/alpha/piranha-gui-0.4.14-1.alpha.rpm 

sparc: 

ftp://updates.redhat.com/6.2/sparc/piranha-0.4.14-1.sparc.rpm 
ftp://updates.redhat.com/6.2/sparc/piranha-docs-0.4.14-1.sparc.rpm 
ftp://updates.redhat.com/6.2/sparc/piranha-gui-0.4.14-1.sparc.rpm 

sources: 

ftp://updates.redhat.com/6.2/SRPMS/piranha-0.4.14-1.src.rpm 

9. Verification: 

MD5 sum                           Package Name

7c9cad243857f3e90cb73457619ad3a0 6.2/SRPMS/piranha-0.4.14-1.src.rpm

179e502f88f149fe3bfb285af851a6d3 6.2/alpha/piranha-0.4.14-1.alpha.rpm

881622bc6403c2af38834c0deaf05d44 
                            6.2/alpha/piranha-docs-0.4.14-1.alpha.rpm

7ffc63ec6f236afc0b19298ec29e6774 
                            6.2/alpha/piranha-gui-0.4.14-1.alpha.rpm

1e04357c0ebb004185b834152667c644 6.2/i386/piranha-0.4.14-1.i386.rpm

5b6649f14979e1b2fbdb763d88e9a3ac 
                            6.2/i386/piranha-docs-0.4.14-1.i386.rpm

1a49816f280dc7a9b83ba9bab42a247f 
                            6.2/i386/piranha-gui-0.4.14-1.i386.rpm

4153b861f030a17745463c1749732b58 
                            6.2/sparc/piranha-0.4.14-1.sparc.rpm

dc964993d9a3b6c967e5c4455bc24221 
                            6.2/sparc/piranha-docs-0.4.14-1.sparc.rpm

97071e07e2f34fecf80ba48f61e70ba6 
                            6.2/sparc/piranha-gui-0.4.14-1.sparc.rpm

These packages are GPG signed by Red Hat, Inc. for security. Our key 
is available at: http://www.redhat.com/corp/contact.html 

You can verify each package with the following command: 

rpm --checksig 

If you only wish to verify that each package has not been corrupted 
or tampered with, examine only the md5sum with the following command: 

rpm --checksig --nogpg 

10. References: 

This vulnerability was discovered and researched by Allen Wilson and 
Dan Ingevaldson of Internet Security Systems. Red Hat would like to 
thank ISS for the assistance in getting this problem fixed quickly. 

[ End Red Hat Advisory ]

______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Red Hat for the information 
contained in this bulletin.
______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), use one of the following methods to contact CIAC:

    1.  Call the CIAC voice number 925-422-8193 and leave a message, or

    2.  Call 888-449-8369 to send a Sky Page to the CIAC duty person or

    3.  Send e-mail to 4498369@skytel.com, or

    4.  Call 800-201-9288 for the CIAC Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)
   Modem access:        +1 (925) 423-4753 (28.8K baud)
                        +1 (925) 423-3331 (28.8K baud)

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

K-025: MySQL Password Authentication Vulnerability 
K-026: Microsoft SQL Server Admin Login Encryption Vulnerability 
K-027: Microsoft SQL Server and MSDE Malicious Query Vulnerability 
K-028: FreeBSD Port Exploits for mh/nmh, Lynx, and mtr 
K-029: Microsoft "Registry Permissions" Vulnerability 
K-030: SGI - Vulnerability in the objectserver daemon 
K-031: Mobile Malicious Code 
K-032: DDoS Mediation Action List 
K-033: Microsoft "Myriad Escaped Characters" Vulnerability
K-034: Cisco Catalyst Enable Password Bypass Vulnerability

-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBOQifjLnzJzdsy3QZAQGi7gP9F89bMqJ3dWvjO6j//+pyPd0ouqSiYHwt
AsO5GhPcMqEF8IhRHUJD+Cm38GkAqAPyHju3nkrWieYm4jIZrMqQEXL5qjON0RNc
zn+bQ+goBjvCGktbqOIOPBoLlVzf2VsVRH028iJsaIZjkmyO7zOwKu+7eIuaL3d6
vbgMSr9crsU=
=vTls
-----END PGP SIGNATURE-----