lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: csiwebmaster at csi.edu (Dan Daggett)
Subject: Command Injection Vulnerability in stat.qwest.net

[Vulnerable Site]

http://stat.qwest.net


[Site Purpose]  

Site can be used by network administrators and engineers to test network
connectivity, view Qwest's backbones, and test latency across Qwest's
network.


[Vulnerable Page]

http://stat.qwest.net/cgi-bin/jlg-new.pl

This page can be accessed through
http://stat.qwest.net/looking_glass.html


[Page Purpose]

Run ping and traceroute from various routers/computers in many locations
across Qwest's network, including North America and Asia.


[Command Injection]

While running a ping on a site that wasn't up, the error message made me
realize that the perl script was shelling out a command to a remote
system and tacking my input into it.  

For example in the dropdown box pick any router and select ping or
traceroute.  In this case I selected ping.  Type in a nonexistent site
such as nositehere.nope.  Here is what was returned in the page.

/usr/sbin/ping: unknown host nositehere.nope

My next thought was whether or not proper checking had been done to
avoid escaping the command and running my own code.  This time I used a
semicolon to add my own commands on to the end: nositehere.nope;id;uname
-a;  I put the ending semicolon on in case there was additional
parameters added to the ping command.  Here is the result.

Pinging nositehere.nope;id; from atl-engr-01.inet.qwest.net

uid=60001(nobody) gid=60001(nobody)


[Problem Fix]

The vulnerability here lies in the fact that unfiltered user input is
passed by the Perl script directly to the command line.  Something as
simple as verifying that only certain characters will be passed to the
command prompt would prevent this.

For example this would drop any characters that were not alphanumberic,
dash, underscore, and a period.

$user_input  =~ s/[^A-Za-z0-9_-.]//g;


[Vendor Contact]

Sent email to security@...st.net on August 19th.

Problem fixed August 21, 2003


[Contact Info]

Report can be viewed online
http://www.socialgeeks.com/advisories/qwest_aug_21_2003.php

Submitted to list on August 21, 2003 by Dan Daggett

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ