[UNIX] Network Query Tool Command Execution Vulnerability

From: support@securiteam.com
Date: 10/23/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [UNIX] Network Query Tool Command Execution Vulnerability
Message-Id: <20011022222847.A9345138C9@mail.der-keiler.de>
Date: Tue, 23 Oct 2001 00:28:47 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Network Query Tool Command Execution Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://www.shat.net/php/nqt/> Network Query Tool (NQT) is a one-stop
solution for getting information about a domain or IP address. Instead of
manually using different UNIX commands or visiting numerous websites to
"investigate" a host, just load Network Query Tool and enter the hostname
or IP. A security vulnerability in the product allows attackers to cause
it to execute arbitrary UNIX commands.

DETAILS

Network Query tool does not check for special meta-characters like:
&;`'"|*?~^()[]{}$. This allows any user to execute UNIX commands on web
server.

The problem can be found here:
if (! $msg .= trim(nl2br(`ping -c5 $target`)))
And here :
if (! $msg .= trim(nl2br(`dig any $target`)))
And here :
if (! $msg .= trim(nl2br(`/usr/sbin/traceroute $target`)))

Exploit:
Execute 'ls -l' command.
http://www.example.com/network_query.php?
portNum=80&queryType=all&target=www.someserver.com%3Bls+-l&Submit=Do+It
(NOTE: URL has been split into two lines)

Status:
The program's coders have been alerted.

Temporary fix:
Use this at the beginning of your PHP script:

$target = system(escapeshellcmd($target));

ADDITIONAL INFORMATION

The information has been provided by
<mailto:aurelien.cabezon@iSecureLabs.com> Cabezon Aur?lien.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages