F5 BIG-IP Web Management Audit Log XSS
Product: F5 BIG-IP
http://www.f5.com/products/big-ip/
The F5 BIG-IP web management interface contains a persistent cross-site scripting vulnerability in the audit log facility. Log entries are output raw, without being HTML-encoded first. This allows an attacker to create a log entry with an embedded script that gets executed any time the audit log is later reviewed by an administrator.
One of several exploit vectors is to create a node object with a script embedded in the node name. The creation will fail due to unsupported characters but an audit log entry still gets created. Other confirmed entry points are sysContact and sysLocation on the SNMP configuration page.
> > built-in local administrator account from local or remote connections.
> > The user will also share the Administrator's desktop and profile. When
> > inspected by system administrators, the regular user always looks like
> > it is just part of the built-in user's group. The attacker can also
> > make the regular user account hard to detect by creating a user with
> > the username of "ALT-0160", for blank space. Events in the audit log
> > pertaining to the hidden account will be created if the system
> > administrator has enabled auditing, but the user name fields are all
> > blank. Once a system has been compromised, the attacker would need to
> > ensure the Task Scheduler service is enabled only when starting the
> > method. This method can be used to masquerade as any user account on
In most Oracle default installations the account OUTLN is locked but some security guidelines (e.g. Oracle Practical Security from Syngress) recommend to unlock the account OUTLN and set an invalid password (to avoid the error message "ORA-28000 account is locked").
Following this advisory and setting an invalid password is opening a default user with default password with DBA privileges in the Oracle database (OUTLN/OUTLN) if a materialized view was created.
I found this vulnerability during the search for backdoors in Oracle databases for the Oracle malware report of our vulnerability scanner Repscan. I was looking for the strings like "grant dba to" and found that dbms_stats_internal is executing these commands in an internal package. In Oracle 9i you can find these strings using the grep command in $ORACLE_HOME/rdbms/admin because strings literals are not encrypted in wrapped PL/SQL 9i Code.
BTW: During this research I found also 3 Oracle procedures modifying the Oracle Audit-Table (Insert/Update/Delete rows from SYS.AUD$). I think procedures modifying the Audit-Log (especially delete and update) are a bad coding practice.
Patch Information
Apply the patches for Oracle CPU April 2008.
built-in local administrator account from local or remote connections.
The user will also share the Administrator's desktop and profile. When
inspected by system administrators, the regular user always looks like
it is just part of the built-in user's group. The attacker can also
make the regular user account hard to detect by creating a user with
the username of "ALT-0160", for blank space. Events in the audit log
pertaining to the hidden account will be created if the system
administrator has enabled auditing, but the user name fields are all
blank. Once a system has been compromised, the attacker would need to
ensure the Task Scheduler service is enabled only when starting the
method. This method can be used to masquerade as any user account on
h. Service Console package sudo updated to 1.6.9p17-6.el5_4
Sudo (su "do") allows a system administrator to delegate authority
to give certain users (or groups of users) the ability to run some
(or all) commands as root or another user while providing an audit
trail of the commands and their arguments.
When a pseudo-command is enabled, sudo permits a match between the
name of the pseudo-command and the name of an executable file in an
arbitrary directory, which allows local users to gain privileges
via a crafted executable file.
> > > built-in local administrator account from local or remote connections.
> > > The user will also share the Administrator's desktop and profile. When
> > > inspected by system administrators, the regular user always looks like
> > > it is just part of the built-in user's group. The attacker can also
> > > make the regular user account hard to detect by creating a user with
> > > the username of "ALT-0160", for blank space. Events in the audit log
> > > pertaining to the hidden account will be created if the system
> > > administrator has enabled auditing, but the user name fields are all
> > > blank. Once a system has been compromised, the attacker would need to
> > > ensure the Task Scheduler service is enabled only when starting the
> > > method. This method can be used to masquerade as any user account on
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1926
Description:
Previous versions of util-linux have an argument injection
vulnerability, which allows remote attackers to hide activity by
modifying portions of audit log events. This is only relevant on
systems where the auditd service is used.
http://wiki.rpath.com/Advisories:rPSA-2009-0143
Copyright 2009 rPath, Inc.
