ALCASAR index.php Crafted HTTP host Header Vulnerability

Added: 09/16/2014
BID: 69662
OSVDB: 111026

Background

ALCASAR is a free Network Access Controller that allows network managers to restrict Internet service access to authenticated users. ALCASAR allows control and logging of all network activity by users and/or defined user groups.

Problem

ALCASAR 2.8 and earlier are vulnerable to remote code execution by injecting the exec() function into the HTTP host header to gain access as the Apache user. By also exploiting the Apache user's sudoer capability with openssl, a remote attacker could leverage the origial vulnerability to gain root privileges.

Resolution

ALCASAR 2.8.1 purportedly fixes the host header vulnerability.

References

http://seclists.org/fulldisclosure/2014/Sep/26

Limitations

Exploit works on ALCASAR 2.8.

The MIME::Base64 module is required on the SAINTexploit host.

Exploit only results in Apache permissions, not root permissions.
Back to exploit index