[Full-Disclosure] Re: [0day] ExploitLabs.com CGI Script Irony (was: Vote Today)

• Previous message: debian-security-announce_at_lists.debian.org: "[Full-Disclosure] [SECURITY] [DSA-319-1] New webmin packages fix remote session ID spoofing"
• Next in thread: morning_wood: "[Full-Disclosure] Re: [0day] ExploitLabs.com CGI Script Irony (was: Vote Today)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <mattmurphy@kc.rr.com>, "0day" <0day@nothackers.org>, <full-disclosure@lists.netsys.com>
Date: Thu, 12 Jun 2003 17:44:41 -0700

 Matt, I did not say you threatned me and send you a letter stating my
relationship ( or not ) with you.
----- Original Message -----
From: <mattmurphy@kc.rr.com>
To: <full-disclosure@lists.netsys.com>
Cc: <0day@nothackers.org>
Sent: Thursday, June 12, 2003 5:42 PM
Subject: [0day] ExploitLabs.com CGI Script Irony (was: Vote Today)

-=day - Freedom of Voice - Freedom of Choice =

morning wood <se_cur_ity@hotmail.com> wrote:
>some famous white hat's letter to Full Disclosure..
>
>-------------------- snippy -------------------------------------
>
>Len: It is my belief that list members who repeatedly post ridicule
that
>could not possibly be of any use for on-topic readers -- particularly
those
>who post such things without any other contributions -- should at
least
>have their right to post permanently stripped, if they are allowed to
>remain subscribers at all. It is also my belief that Donnie Werner's
>recent posts fit squarely into this catergory. Not only has Donnie
Werner
>continued to waste the effort of list maintainers and subscribers
with
>non-contributory e-mail, but he has also been extremely
un-professional in
>the few cases where he has provided anything worth anyone's time.
For this
>reason, sorting through Donnie Werner's junk mail is not worth my
time, or
>the time wasted of anyone else on this list. It is with the highest
regard
>for Full-Disclosure as a place of promise in the continuing evolution
of
>information security, that I must urge the removal of Donnie Werner,
as it
>is in the best interest of all on the list, and the future of the
list
>itself.
>
>---------------- end snippy ---------------------------------------
>
>Ladies and Gentleman... I am being systematicly blackballed,
>If I coment on one white hat, I get threats from two more..

My question is this: how does my letter to Len (which I also CC'ed to
Donnie) constitute blackmail/threats? By CC'ing Donnie, I
specifically
gave him an opportunity to respond, and specifically attempted to be
professional about this by responding off-list to his posts. Not only
did
he not respect that, he re-posted my private e-mail to you without my
permission. Donnie has not only broken ethical standards here, you
have
broken laws. I did not write that message (or the portion of the
message
which you have displayed) to the list, only to Len Rose and Donnie's
private account.

Since he did not have the professionalism or maturity to contact me
off-list with these issues, and then violated moral, ethical and legal
standards by copying my attempts to the list, Donnie has crossed a
line
that should not be crossed.

Not only was my message private, it also makes no attempt to blackmail
Donnie as he so irresponsibly claims. For the benefit of the lists,
my
message to Donnie is attached as "msg-001.txt". I had contemplated
releasing the messages Donnie wrote in response to the list, but have
decided not to do so, so that I do not become a repeat of the very
issue my
complaint is about. If Donnie would choose to provide it (or allow me
to
do so), his responses to me off-list indicate a tone that is very
contradictory to what he posts here.

I made no threats against Donnie or the list, and I made what I
considered
my best assessment of the situation -- that the incredibly high level
of
noise on the otherwise unmoderated list, combined with lax
administration
would eventually cause the list to collapse. I made no threat to
withhold
information, or of my own plans to leave (I currently have none), so
how
could this possibly be considered a threat/blackmail attempt?

P.S. - This message CC'ed to 0day@nothackers.org -- Donnie Werner's
"list
of 0day's", which has also received an unauthorized copy of my e-mail.

Worse, Donnie is a classic example of the flaws he claims to prevent.
See
the advisory below:

-----
Filtering Flaws in ExploitLabs.com CGI Script

Risk: High
Impact: Critical: Execute commands of attacker's choice
Exploit Difficulty: Minimal
Systems Affected: ExploitLabs.Com Infinity Project (all versions)

A security vulnerability has been identified in the
"nph-exploitscanget.cgi" frontend of Donnie Werner's Infinity Scripts.
By
using a specially malformed URL query, it is possible to execute
arbitrary
commands as the user running the script. Solutions like suexec, file
system limitation, and chroot may prevent successful compromise, but
this
vulnerability is severe in most instances.

Donnie's script insecurely sanitizes the "host" URI parameter.
Specifically, the script fails to block the UNIX backtick character:

http://somesite.com/cgi-bin/nph-exploitscanget.cgi?host=`cat%20/etc/pa
sswd``
cat%20/etc/shadow`&port=80&errchk=0&idsbypass=0

will reveal the username/password data dumped in an error message
indicating a failed host ping. This requires httpd to be running as
root,
a dangerous practice. However, the ability to execute arbitrary
commands
allows for severe compromise in other areas. Also, the script does
URL
decoding after the command filter, appearantly:

$host =~ tr/+/ /;
$host =~ tr/\%/a/;
        $host =~ tr/\;/b/;
$host =~ tr/</c/;
$host =~ tr/>/d/;
$host =~ tr/\|/e/;
$host =~ tr/\&/f/;
$host =~ tr/\^/g/;
$host =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;

So simple constructs such as:

http://localhost/cgi-bin/nphexploitscanget.cgi?host=127.0.0.1%20%7ccat
%20/et
c/passwd%3b

May also work. Note that "%7C" is a URL-encoded pipe character ("|").

Solution: Replace the previous script:

$host =~ tr/+/ /;
$host =~ tr/\%/a/;
        $host =~ tr/\;/b/;
$host =~ tr/</c/;
$host =~ tr/>/d/;
$host =~ tr/\|/e/;
$host =~ tr/\&/f/;
$host =~ tr/\^/g/;
$host =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;

with:

$host =~ tr/+/ /;
+ $host =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
+ $host =~ tr/\`/h/;
$host =~ tr/\%/a/;
        $host =~ tr/\;/b/;
$host =~ tr/</c/;
$host =~ tr/>/d/;
$host =~ tr/\|/e/;
$host =~ tr/\&/f/;
$host =~ tr/\^/g/;
- $host =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;

Donnie Werner, you are a fraud -- you cannot even secure a basic Perl
script. You don't use 'nslookup' to lookup a hostname, you use the
simple
function call known as gethostbyname() that is part of the Perl core.
-----

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .

_______________________________________________
0day mailing list
0day@nothackers.org
http://nothackers.org/mailman/listinfo/0day
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: debian-security-announce_at_lists.debian.org: "[Full-Disclosure] [SECURITY] [DSA-319-1] New webmin packages fix remote session ID spoofing"
• Next in thread: morning_wood: "[Full-Disclosure] Re: [0day] ExploitLabs.com CGI Script Irony (was: Vote Today)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]