"Cthulhu xhAze" - Command execution in Ans.pl

From: b0iler _ (b0iler@hotmail.com)
Date: 02/21/02


From: "b0iler _" <b0iler@hotmail.com>
To: bugtraq@securityfocus.com
Date: Thu, 21 Feb 2002 00:57:46 -0700


#!/exploit/by/b0iler
# script name: Ans.PL
# Primary author of script: Avenger
# script url: http://ans.gq.nu/

"Avenger's News System (ANS) is a PERL-based solution to creating an
easy-to-update and easy-to-maintain web site. Instead of constantly
uploading new news pages and wrestling with HTML, you can post stuff via a
web-based form."

The variable $QUERY is defined in the config file as:
<define QUERY>"$ENV{'QUERY_STRING'}"

When the script is ran it checks for a post, then it checks for a plugin.
The problem is in the plugin subroutine:

  if (substr($QUERY, 0, 2) eq "p=")
  {
    $plugin = substr((split /&/, $QUERY)[0], 2);
    if (index("$QUERY", "&") < 0) { $QUERY = ""; }
                             else { $QUERY = substr($QUERY, index("$QUERY",
"&")+1); }

    open (PLUGIN, "$FILE_LOCATION/$plugin");
    @plugin = <PLUGIN>;
    close (PLUGIN);

    eval("@plugin");
    exit;
  }

No input filtering is done on user input so command execution is possible.

Exploit: ans.pl?p=../../../../bin/command argument|&blah

Fix: Filter meta characters, .., and use < << > >> when calling open().

replace above code with this:

if (substr($QUERY, 0, 2) eq "p="){
        $QUERY =~ s/([\&;\`'\\\|"*?~<>^\(\)\[\]\{\}\$\n\r])/\\$1/g; #filter meta
characters
        $QUERY =~ s/\.\.//g; #filter double dot (..)
        $plugin = substr((split /&/, $QUERY)[0], 2);
        if (index("$QUERY", "&") < 0) { $QUERY = ""; }
                else { $QUERY = substr($QUERY, index("$QUERY", "&")+1); }

        open (PLUGIN, "<$FILE_LOCATION/$plugin"); #added a < to the open() -
readonly
        @plugin = <PLUGIN>;
        close (PLUGIN);

        eval("@plugin");
        exit;
}

I attempted to contact the author on 2/1/02 but they haven't responded.

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.