lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200310202207.h9KM7ei7071683@mailserver1.hushmail.com>
Date: Mon, 20 Oct 2003 15:07:37 -0700
From: <natok@...h.com>
To: bugtraq@...urityfocus.com, vuln-dev@...urityfocus.com,
	vulnwatch@...nwatch.org
Subject: Gast Arbeiter Privilege Escalation


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ------------------------------------------------------------
NATOK security labs                            natok at hush.com
October 20st, 2003                          Privilege Escalation
- - - ------------------------------------------------------------

- - - Overview

  Software      : Gast Arbeiter <= 1.3
  Vendor        : Petr Bartels <petr.bartels@....net>
  Vulnerability : Privilege Escalation
  Status        : Author has been notified
  Type          : Remote

- - - Description

   NATOK security labs discovered a security hole in the instant
   messaging tool Gast Arbeiter written by the polnish software
   engineer Petr Bartels.

   By sending a special crafted message we are able to write to
   any file which may lead to privilege escalation.

- - - Probleme Description

   Gast Arbeiter is an instant messaging tool written in Perl
   that allows people from all around the world to chat with
   each other. The project is maintained by Peter Bartels.

   According to the official website the software has been
   downloaded over five thousand times.

   Gast Arbeiter includes a feature to upload individual files
   via a CGI interface. Due to insufficient checkings we are
   able to write to any file.

- - - Technical Description

   The following vulnerability is present in Gastarbeiter < 1.3

   # Fetching Cgi Params
   $exch_file = "$DATA_DIR/incoming/" . $cgi->param('req_file');

   # Writing Data
   open(FH, "> $exch_file") or die("can't write file: $!");
   print FH $cgi->param('body');
   close(FH);

   This vulnerability allows the attacker to write any file on
   the remote host.

- - - Exploit

   No Public Exploit. Please contact me to get your version.

- - - Patch

   Please change the source code:

   $tmp = $cgi->param('req_file');
   $tmp =~ s/\.\.//g;

   $exch_file = "$DATA_DIR/incoming/" . $tmp;

- - - Greets

   ... to the Legion of Dotness - my Family!
   ... to Gadu Gadu - my Religion!
   ... to Poland - my Country!

    ________________________________
   /                                /|
  /--------------------------------/ |
  |  ##  # #### #####  ##  # #     | |
  |  # # # #  #   #   #  # ##      | |
  |  #  ## ####   #   #  # # #     | |
  |  #   # #  #   #    ##  #  #    | |
  |________________________________|/

    contact: r00t@...ok.de


-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj+UXKoACgkQK+B0NVtqTQPnuQCfZk3AH/RqTxtjb78jqUDfZ9DuYHcA
n1mZlv2gYgTAj8qGn+acsyhZDh8m
=xcue
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ