Vulnerabilities > CVE-2000-0248 - Unspecified vulnerability in Redhat Linux 6.2

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

redhat

critical

nessus

exploit available

metasploit

NVD

Published: 2000-04-24

Updated: 2008-09-10

Summary

The web GUI for the Linux Virtual Server (LVS) software in the Red Hat Linux Piranha package has a backdoor password that allows remote attackers to execute arbitrary commands.

Vulnerable Configurations

Part	Description	Count
OS	Redhat Redhat Linux 6.2	3

Exploit-Db

description	RedHat 6.2 Piranha Virtual Server Package Default Account and Password Vulnerability. CVE-2000-0248. Remote exploit for linux platform
id	EDB-ID:19879
last seen	2016-02-02
modified	2000-04-24
published	2000-04-24
reporter	Max Vision
source	https://www.exploit-db.com/download/19879/
title	RedHat 6.2 Piranha Virtual Server Package Default Account and Password Vulnerability

description	RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution. CVE-2000-0248,CVE-2000-0322. Webapps exploit for php platform
id	EDB-ID:16858
last seen	2016-02-02
modified	2010-10-18
published	2010-10-18
reporter	metasploit
source	https://www.exploit-db.com/download/16858/
title	RedHat Piranha Virtual Server Package passwd.php3 - Arbitrary Command Execution

Metasploit

description	This module abuses two flaws - a metacharacter injection vulnerability in the HTTP management server of RedHat 6.2 systems running the Piranha LVS cluster service and GUI (rpm packages: piranha and piranha-gui). The vulnerability allows an authenticated attacker to execute arbitrary commands as the Apache user account (nobody) within the /piranha/secure/passwd.php3 script. The package installs with a default user and password of piranha:q which was exploited in the wild.
id	MSF:EXPLOIT/LINUX/HTTP/PIRANHA_PASSWD_EXEC
last seen	2020-01-10
modified	2017-11-08
published	2010-02-14
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0248 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0322
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/piranha_passwd_exec.rb
title	RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution

Nessus

NASL family	CGI abuses
NASL id	PIRANHA.NASL
description	The
last seen	2020-06-01
modified	2020-06-02
plugin id	10381
published	2000-04-25
reporter	This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/10381
title	Piranha's RH6.2 default password
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(10381); script_bugtraq_id(1148); script_version ("1.24"); script_cve_id("CVE-2000-0248"); script_name(english:"Piranha's RH6.2 default password"); script_set_attribute(attribute:"synopsis", value: "A web application accepts well known passwords." ); script_set_attribute(attribute:"description", value: "The 'piranha' package is installed on the remote host. This package, as it is distributed with Linux RedHat 6.2, comes with the login/password combination 'piranha/q' or 'piranha'/'piranha'. An attacker may use it to reconfigure your Linux Virtual Servers (LVS)." ); script_set_attribute(attribute:"solution", value: "Upgrade piranha-gui, piranha and piranha-docs to version 0.4.13" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"metasploit_name", value:'RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2000/04/25"); script_set_attribute(attribute:"vuln_publication_date", value: "2002/09/12"); script_cvs_date("Date: 2018/07/24 18:56:11"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"default_account", value:"true"); script_end_attributes(); script_summary(english: "logs into the remote piranha subsystem"); script_category(ACT_ATTACK); script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc."); script_family(english:"CGI abuses"); script_dependencie("http_version.nasl"); script_require_ports("Services/www", 80); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_keys("www/PHP"); exit(0); } # # The script code starts here # include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); if (!can_host_php(port:port)) exit(0); function test_hole(port, user, pass) { local_var r, res, u; u = "/piranha/secure/control.php3?"; r = http_send_recv3(method: "GET", item: u, port:port, username: user, password: pass); if (isnull(r)) exit(0); res = strcat(r[0], r[1], '\r\n', r[2]); if("Piranha (Control/Monitoring)" >< res) { security_hole(port, extra: strcat('\nIt was possible to log to :\n\n', build_url(port: port, qs: u), '\nwith username=', user, ' and password=', pass, '\n')); exit(0); } } test_hole(port:port, user: "piranha", pass: "q"); test_hole(port:port, user: "piranha", pass: "piranha");

Packetstorm

data source	https://packetstormsecurity.com/files/download/86303/piranha_passwd_exec.rb.txt
id	PACKETSTORM:86303
last seen	2016-12-05
published	2010-02-15
reporter	patrick
source	https://packetstormsecurity.com/files/86303/RedHat-Piranha-Virtual-Server-Package-passwd.php3-Arbitrary-Command-Execution.html
title	RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution

Redhat

advisories

rhsa

id	RHSA-2000:014-10

References

http://xforce.iss.net/alerts/advise46.php3