[UNIX] AdStreamer Allows Execution of Arbitrary Commands

From: support@securiteam.com
Date: 12/26/01 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 26 Dec 2001 10:26:51 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  AdStreamer Allows Execution of Arbitrary Commands
------------------------------------------------------------------------

SUMMARY

 <http://www.sha-la-la.com/adstreamer/> AdStreamer is a free banner
manager system allows thousands of banners to be placed on hundreds of web
sites in one complete environment. A security vulnerability in the product
allows remote attackers to execute arbitrary commands.

DETAILS

Vulnerable systems:
AdStreamer version 1.0

This software has many open() function calls that can exploited with perl
tricks like ../, %00, |, etc.

bash-2.05$ egrep 'open|system|exec|eval' *.cgi
addbanner.cgi:# This script is apart of the Banner Manager system.
It will add banners
addbanner.cgi:open(HEADERFILE, "banner/$thebannercat.dat") || die("error
opening the file $thebannercat.dat");
addbanner.cgi:open(HEADERFILE, ">banner/$thebannercat.dat") || die("error
opening the file $thebannercat.dat");
addbanner.cgi: open(HEADERFILE, ">>banner/$logfile") || die("error
opening the file $logfile");
addbanner.cgi: open(HEADERFILE, ">banner/$logfile") || die("error opening
the file $logfile");
banner.cgi:# This script is apart of the Banner Manager system.
It adds banner
banner.cgi:open(HEADERFILE, "$input{'cat'}.dat") || die("error opening the
file $input{'cat'}.dat");
banner.cgi:open(HEADERFILE, ">$input{'cat'}.dat") || die("error opening
the file $input{'cat'}.dat");
banner.cgi: open(HEADERFILE, ">>$logfile") || die("error opening the
file $logfile");
banner.cgi: open(HEADERFILE, ">$logfile") || die("error opening the
file $logfile");
bannereditor.cgi:# This script is apart of the Banner Manager
system. It preforms banner
bannereditor.cgi:open(HEADERFILE, "titles.dat") || die("error opening the
file titles.dat");
bannereditor.cgi: open(HEADERFILE, "$input{'cat'}.dat") ||
die("error opening the file $input{'cat'}.dat");
bannereditor.cgi: open(HEADERFILE, ">$input{'cat'}.dat") ||
die("error opening the file $input{'cat'}.dat");
bannereditor.cgi: open(HEADERFILE, "$input{'cat'}.dat") ||
die("error opening the file $input{'cat'}.dat");
bannereditor.cgi: open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi: open(HEADERFILE, ">categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi: open(HEADERFILE, ">ref.dat") || die("error opening
the file ref.dat");
bannereditor.cgi: open(HEADERFILE, ">titles.dat") || die("error
opening the file titles.dat");
bannereditor.cgi: open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi: open(HEADERFILE, "$cat.dat") || die("error
opening the file $cat.dat");
bannereditor.cgi: open(HEADERFILE, ">$cat.dat") ||
die("error opening the file $cat.dat");
bannereditor.cgi: open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi: open(HEADERFILE, "$cat.dat") || die("error
opening the file $cat.dat");
bannereditor.cgi: open(HEADERFILE, ">>ref.dat") || die("error
opening the file ref.dat");
bannereditor.cgi: open(HEADERFILE, ">>titles.dat") || die("error
opening the file titles.dat");
bannereditor.cgi: open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi: open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi: open(HEADERFILE, "$cat.dat") ||
die("error opening the file $cat.dat");
bannereditor.cgi: open(HEADERFILE, ">>$cat.dat") ||
die("error opening the file $cat.dat");
bannereditor.cgi: open(HEADERFILE, ">$input{'newcat'}.dat") ||
die("error opening the file $input{'newcat'}.dat");
bannereditor.cgi: open(HEADERFILE, ">>categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi: open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi: open(HEADERFILE, "$cat.dat") || die("error
opening the file $cat.dat");
bannereditor.cgi: open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi: open(HEADERFILE, "ref.dat") || die("error opening
the file ref.dat");
jump.cgi:# This script is apart of the Banner Manager system.
It recieves every
jump.cgi:open(HEADERFILE, "ref.dat") || die("error opening the file
ref.dat");
jump.cgi: open(HEADERFILE, ">>$logfile") || die("error
opening the file $logfile");
jump.cgi: open(HEADERFILE, ">$logfile") || die("error
opening the file $logfile");
report2.cgi:# This script is apart of the Banner Manager system.
It generates reports
report2.cgi:open(HEADERFILE, "titles.dat") || die("error opening the file
titles.dat");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi: open(HEADERFILE, "$file.log") || die("error opening the
file $file.log");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi: open(HEADERFILE, "$file.log") || die("error opening the
file $file.log");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi: open(HEADERFILE, "$file.log") || die("error opening the
file $file.log");
report2.cgi:open(HEADERFILE, "categories.dat") || die("error opening the
file categories.dat");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:open(HEADERFILE, "categories.dat") || die("error opening the
file categories.dat");
report2.cgi:open(HEADERFILE, "$input{'log'}") || die("error opening the
file $input{'log'}");
report2.cgi:open(HEADERFILE, "$input{'log'}") || die("error opening the
file $input{'log'}");
report2.cgi:open(HEADERFILE, "$input{'log'}") || die("error opening the
file $input{'log'}");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:open(HEADERFILE, "categories.dat") || die("error opening the
file categories.dat");

ADDITIONAL INFORMATION

The information has been provided by <mailto:GOBBLES@hushmail.com>
GOBBLES LABS.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: put a password on a form
    ... other message boards I go to if you do not post to multiple groups your ... covered by setting up the security, but the person does not want that high of ... what prevents them from simply opening that form? ... Use User-Level Security and secure the Admin form. ...
    (microsoft.public.access.formscoding)
  • Re: Hyperlinks in Email
    ... should find a security tab and you can enable/disable whatever you want. ... you really need to understand what the risks are in opening links ... The feature you are complaining about was put in place to protect us from ... > system administrator." ...
    (microsoft.public.windowsxp.security_admin)
  • Re: trouble opening Outlook express attachments
    ... The security level on my system is set to ... the option of opening it, ... The checkbox will be ticked. ... whether a particular attachment type should be treated as 'harmful') ...
    (microsoft.public.windowsxp.general)
  • Re: Cant open any attachment
    ... > refuse the opening of the attachment. ... It also explains ways to turn off the security feature. ... The checkbox will be ticked. ... and ALWAYS make sure you have an up-to-date virus checker! ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Trying to find this setting - Help please
    ... In IE, tools, Internet Options, security tab, click the custom level. ... > The Always ask before opening this type of file is ticked and greyed out so ... > I am not able to uncheck this box so that I don't get it again. ...
    (microsoft.public.windowsxp.help_and_support)