[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1061507369.7901.13.camel@localhost.localdomain>
From: csiwebmaster at csi.edu (Dan Daggett)
Subject: Command Injection Vulnerability in stat.qwest.net
[Vulnerable Site]
http://stat.qwest.net
[Site Purpose]
Site can be used by network administrators and engineers to test network
connectivity, view Qwest's backbones, and test latency across Qwest's
network.
[Vulnerable Page]
http://stat.qwest.net/cgi-bin/jlg-new.pl
This page can be accessed through
http://stat.qwest.net/looking_glass.html
[Page Purpose]
Run ping and traceroute from various routers/computers in many locations
across Qwest's network, including North America and Asia.
[Command Injection]
While running a ping on a site that wasn't up, the error message made me
realize that the perl script was shelling out a command to a remote
system and tacking my input into it.
For example in the dropdown box pick any router and select ping or
traceroute. In this case I selected ping. Type in a nonexistent site
such as nositehere.nope. Here is what was returned in the page.
/usr/sbin/ping: unknown host nositehere.nope
My next thought was whether or not proper checking had been done to
avoid escaping the command and running my own code. This time I used a
semicolon to add my own commands on to the end: nositehere.nope;id;uname
-a; I put the ending semicolon on in case there was additional
parameters added to the ping command. Here is the result.
Pinging nositehere.nope;id; from atl-engr-01.inet.qwest.net
uid=60001(nobody) gid=60001(nobody)
[Problem Fix]
The vulnerability here lies in the fact that unfiltered user input is
passed by the Perl script directly to the command line. Something as
simple as verifying that only certain characters will be passed to the
command prompt would prevent this.
For example this would drop any characters that were not alphanumberic,
dash, underscore, and a period.
$user_input =~ s/[^A-Za-z0-9_-.]//g;
[Vendor Contact]
Sent email to security@...st.net on August 19th.
Problem fixed August 21, 2003
[Contact Info]
Report can be viewed online
http://www.socialgeeks.com/advisories/qwest_aug_21_2003.php
Submitted to list on August 21, 2003 by Dan Daggett
Powered by blists - more mailing lists