logo

Web

   Webdesign
   Webhosting
   Referenzen
   Kontakt

Security

   Aktuelle Meldungen
   Advisories
   Firewall
   Emailgateway

Consulting

   Beratung

Hinweise
   Aktuelle Meldungen    Advisories    Firewall    Emailgateway

ppp-design found the following authentication bypass vulnerability in dnstools:


Details

Product: dnstools
Affected Version: 2.0 beta 4 and maybe all versions before
Immune Version: 2.0 beta 5
OS affected: Linux only
Vendor-URL: http://www.dnstools.com
Vendor-Status: informed, new version avaiable
Security-Risk: very high
Remote-Exploit: Yes


Introduction

DNSTools is a comercial solution for dns configuration ($0 for personal use up to $800 for ISPs). This is what the vendor tells about dnstools: "DNSTools is a DNS configuration and DNS administration utility that eases the burden of network and system administrators by presenting all of their DNS data in an easy-to-use web interface and allowing them to modify that data quickly and easily. With a few simple clicks, you can modify a host name, add a new mail record, add a new DNS name server, delete an entire domain or add an alias or second IP address to an existing host. These are just a few examples of what DNSTools provides." Unfortunately the security concept is broken by design and can be easily bypassed.


More details

The software uses two variables to save the users authentication status (normal user / administration). Unfortunately these variables are not initialized, so you can easily spoof your status.


Proof-of-concept

Just add "user_logged_in=true" and if you want to have administration privileges "user_dnstools_administrator=YES" to any url (just be sure you are not logged in, otherwise your submitted variable will be overwritten with the real value).

Examples:
http://www.example.com/dnstools.php?section=hosts&user_logged_in=true
http://www.example.com/dnstools.php?section=security&user_logged_in=true&user_dnstools_administrator=YES


Temporary-Fix

Initialize both variables with false at the beginning of dnstools.php


Fix

Use at least version 2.0 beta 5.


Security-Risk

A blackhat can easily manipulate DNS entries remotly without being authorized in any way. This often is the first step of a hacking scenario. Therefore we are rating the security risk to very high.


Vendor status

The author reacted very fast and recommendable to our note. He needed about 48 hours for a new version which fixes the vulnerability.


Disclaimer

All information that can be found in this advisory is believed to be true, but maybe it is not. ppp-design can not be held responsible for the use or missuse of this information. Redistribution of this text is only permitted if the text has not been altered and the original author ppp-design (http://www.ppp-design.de) is mentioned.