[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <63340-22003651304231262@M2W027.mail2web.com>
From: mattmurphy at kc.rr.com (mattmurphy@...rr.com)
Subject: ExploitLabs.com CGI Script Irony (was: Vote Today)
morning wood <se_cur_ity@...mail.com> wrote:
>some famous white hat's letter to Full Disclosure..
>
>-------------------- snippy -------------------------------------
>
>Len: It is my belief that list members who repeatedly post ridicule that
>could not possibly be of any use for on-topic readers -- particularly those
>who post such things without any other contributions -- should at least
>have their right to post permanently stripped, if they are allowed to
>remain subscribers at all. It is also my belief that Donnie Werner's
>recent posts fit squarely into this catergory. Not only has Donnie Werner
>continued to waste the effort of list maintainers and subscribers with
>non-contributory e-mail, but he has also been extremely un-professional in
>the few cases where he has provided anything worth anyone's time. For this
>reason, sorting through Donnie Werner's junk mail is not worth my time, or
>the time wasted of anyone else on this list. It is with the highest regard
>for Full-Disclosure as a place of promise in the continuing evolution of
>information security, that I must urge the removal of Donnie Werner, as it
>is in the best interest of all on the list, and the future of the list
>itself.
>
>---------------- end snippy ---------------------------------------
>
>Ladies and Gentleman... I am being systematicly blackballed,
>If I coment on one white hat, I get threats from two more..
My question is this: how does my letter to Len (which I also CC'ed to
Donnie) constitute blackmail/threats? By CC'ing Donnie, I specifically
gave him an opportunity to respond, and specifically attempted to be
professional about this by responding off-list to his posts. Not only did
he not respect that, he re-posted my private e-mail to you without my
permission. Donnie has not only broken ethical standards here, you have
broken laws. I did not write that message (or the portion of the message
which you have displayed) to the list, only to Len Rose and Donnie's
private account.
Since he did not have the professionalism or maturity to contact me
off-list with these issues, and then violated moral, ethical and legal
standards by copying my attempts to the list, Donnie has crossed a line
that should not be crossed.
Not only was my message private, it also makes no attempt to blackmail
Donnie as he so irresponsibly claims. For the benefit of the lists, my
message to Donnie is attached as "msg-001.txt". I had contemplated
releasing the messages Donnie wrote in response to the list, but have
decided not to do so, so that I do not become a repeat of the very issue my
complaint is about. If Donnie would choose to provide it (or allow me to
do so), his responses to me off-list indicate a tone that is very
contradictory to what he posts here.
I made no threats against Donnie or the list, and I made what I considered
my best assessment of the situation -- that the incredibly high level of
noise on the otherwise unmoderated list, combined with lax administration
would eventually cause the list to collapse. I made no threat to withhold
information, or of my own plans to leave (I currently have none), so how
could this possibly be considered a threat/blackmail attempt?
P.S. - This message CC'ed to 0day@...hackers.org -- Donnie Werner's "list
of 0day's", which has also received an unauthorized copy of my e-mail.
Worse, Donnie is a classic example of the flaws he claims to prevent. See
the advisory below:
-----
Filtering Flaws in ExploitLabs.com CGI Script
Risk: High
Impact: Critical: Execute commands of attacker's choice
Exploit Difficulty: Minimal
Systems Affected: ExploitLabs.Com Infinity Project (all versions)
A security vulnerability has been identified in the
"nph-exploitscanget.cgi" frontend of Donnie Werner's Infinity Scripts. By
using a specially malformed URL query, it is possible to execute arbitrary
commands as the user running the script. Solutions like suexec, file
system limitation, and chroot may prevent successful compromise, but this
vulnerability is severe in most instances.
Donnie's script insecurely sanitizes the "host" URI parameter.
Specifically, the script fails to block the UNIX backtick character:
http://somesite.com/cgi-bin/nph-exploitscanget.cgi?host=`cat%20/etc/passwd``
cat%20/etc/shadow`&port=80&errchk=0&idsbypass=0
will reveal the username/password data dumped in an error message
indicating a failed host ping. This requires httpd to be running as root,
a dangerous practice. However, the ability to execute arbitrary commands
allows for severe compromise in other areas. Also, the script does URL
decoding after the command filter, appearantly:
$host =~ tr/+/ /;
$host =~ tr/\%/a/;
$host =~ tr/\;/b/;
$host =~ tr/</c/;
$host =~ tr/>/d/;
$host =~ tr/\|/e/;
$host =~ tr/\&/f/;
$host =~ tr/\^/g/;
$host =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
So simple constructs such as:
http://localhost/cgi-bin/nphexploitscanget.cgi?host=127.0.0.1%20%7ccat%20/et
c/passwd%3b
May also work. Note that "%7C" is a URL-encoded pipe character ("|").
Solution: Replace the previous script:
$host =~ tr/+/ /;
$host =~ tr/\%/a/;
$host =~ tr/\;/b/;
$host =~ tr/</c/;
$host =~ tr/>/d/;
$host =~ tr/\|/e/;
$host =~ tr/\&/f/;
$host =~ tr/\^/g/;
$host =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
with:
$host =~ tr/+/ /;
+ $host =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
+ $host =~ tr/\`/h/;
$host =~ tr/\%/a/;
$host =~ tr/\;/b/;
$host =~ tr/</c/;
$host =~ tr/>/d/;
$host =~ tr/\|/e/;
$host =~ tr/\&/f/;
$host =~ tr/\^/g/;
- $host =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
Donnie Werner, you are a fraud -- you cannot even secure a basic Perl
script. You don't use 'nslookup' to lookup a hostname, you use the simple
function call known as gethostbyname() that is part of the Perl core.
-----
--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .
Powered by blists - more mailing lists