레드핫 백도어..

Red Hat 6.2에서도 IIS와 같이 백도어가 존재한다는데..
Pirahna (피라나)를 설치했을 경우, 암호 Q 로 기본 설정이 되며, 누구나 시스템의 암호를 바꿔서 Root 권한을 가질 수 있다는 것입니다.

이 백도어 패치는 아래의 주소에서 구할 수가 있답니다.

ftp//updates.redhat.com/6.2

뒷북인가.. ^^

---

1. Topic

The GUI portion of Piranha may allow any remote attacker to execute commands on the server. This may allow a remote attacker to launch additional exploits against a web site from inside the web server.

This is an updated release that disables Piranha's web GUI interface unless the site administrator enables it explicitly.

2. Problem description

When Piranha is installed, it generates a 'secure' web interface ID using the HTML .htaccess method. The information for the account is placed in /home/httpd/html/piranha/secure/passwords which was supposed to be released with a blank password. Unfortunately, the password that is actually on the CD is 'Q'.

The original intent was that, when the administrator installed Piranha rpms onto their box, that they would change the default blank password to a password of their own choosing.

This is not a hidden account. Its only use is to protect the web pages from unauthorized access.

The security problem arises from the http//localhost/piranha/secure/passwd.php3 file. It is possible to execute commands by entering 'blah;some-command' into the password fields. Everything after the semicolon is executed with the same privilege as the webserver.

Because of this, it is possible to compromise the webserver or do serious damage to files on the site that are owned by the user 'nobody' or to export a shell using xterm.

Updated piranha packages released as version 0.4.13-1 fixed the security vulnerability while still require for the default behavior of requiring the web administrator to reset the password before making the web site public.

Because of the security concerns from the community and in order to protect innocent administrators that might not be aware of the need to change the password for Piranha's interface before going live on the Internet, Red Hat is releasing a new set of packages that disable the piranha web interface by default. The site administrator will have to enable the service from the command line by resetting the password as detailed on the main page of the piranha utility.

The new packages that include these changes are known as version piranha-0.4.14-1.

Users of Red Hat Linux 6.2 are strongly encouraged to upgrade to the new packages if they are actively using piranha on their system (upgrade instructions follow) or to remove the piranha-gui package altogether by issuing the following command

rpm -e piranha-gui

3. Bug IDs fixed (see bugzilla for more information)

N/A

4. Relevant releases/architectures

Red Hat Linux 6.2 -- i386 alpha sparc

5. Obsoleted by

N/A

6. Conflicts with

N/A

7. RPMs required

Red Hat Linux 6.2

Intel

ftp//updates.redhat.com/6.2/i386/piranha-0.4.14-1.i386.rpm
ftp//updates.redhat.com/6.2/i386/piranha-docs-0.4.14-1.i386.rpm
ftp//updates.redhat.com/6.2/i386/piranha-gui-0.4.14-1.i386.rpm

Alpha

ftp//updates.redhat.com/6.2/alphapiranha-0.4.14-1.alpha.rpm ftp//updates.redhat.com/6.2/alphapiranha-docs-0.4.14-1.alpha.rpm ftp//updates.redhat.com/6.2/alphapiranha-gui-0.4.14-1.alpha.rpm
SPARC

ftp//updates.redhat.com/6.2/sparcpiranha-0.4.14-1.sparc.rpm ftp//updates.redhat.com/6.2/sparcpiranha-docs-0.4.14-1.sparc.rpm ftp//updates.redhat.com/6.2/sparcpiranha-gui-0.4.14-1.sparc.rpm
Source

ftp//updates.redhat.com/6.2/SRPMSpiranha-0.4.14-1.src.rpm
8. Solution

For each RPM for your particular architecture, run

rpm -Uvh filename

where filename is the name of the RPM.

When you install the update for the piranha-gui, please take a moment to review the instructions presented on the following URL (http//localhost/piranha). This should guide you through the process of installing a password for use with the GUI.

9. Verification

MD5 sum Package Name
-------------------------------------------------------------------------
7c9cad243857f3e90cb73457619ad3a0 6.2/SRPMS/piranha-0.4.14-1.src.rpm
179e502f88f149fe3bfb285af851a6d3 6.2/alpha/piranha-0.4.14-1.alpha.rpm
881622bc6403c2af38834c0deaf05d44 6.2/alpha/piranha-docs-0.4.14-1.alpha.rpm
7ffc63ec6f236afc0b19298ec29e6774 6.2/alpha/piranha-gui-0.4.14-1.alpha.rpm
1e04357c0ebb004185b834152667c644 6.2/i386/piranha-0.4.14-1.i386.rpm
5b6649f14979e1b2fbdb763d88e9a3ac 6.2/i386/piranha-docs-0.4.14-1.i386.rpm
1a49816f280dc7a9b83ba9bab42a247f 6.2/i386/piranha-gui-0.4.14-1.i386.rpm
4153b861f030a17745463c1749732b58 6.2/sparc/piranha-0.4.14-1.sparc.rpm
dc964993d9a3b6c967e5c4455bc24221 6.2/sparc/piranha-docs-0.4.14-1.sparc.rpm
97071e07e2f34fecf80ba48f61e70ba6 6.2/sparc/piranha-gui-0.4.14-1.sparc.rpm

These packages are GPG signed by Red Hat, Inc. for security. Our key is available at
http//www.redhat.com/about/contact.html
You can verify each package with the following command

rpm --checksig filename
If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command

rpm --checksig --nogpg filename
Note that you need RPM >= 3.0 to check GnuPG keys.

10. References

This vulnerability was discovered and researched by Allen Wilson and Dan Ingevaldson of Internet Security Systems. Red Hat would like to thank ISS for the assistance in getting this problem fixed quickly.