Vulnerability in Upload Lite 3.22 that could allow somebody to upload/execute code on a remote host.

• Previous message: Claes Nyberg: "OpenBSD lprm(1) exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 8 Mar 2003 13:01:03 -0000
From: Sil <sil@linuxquestions.net>
To: bugtraq@securityfocus.com

There is a vulnerability in Upload Lite 3.22 that could allow somebody to
upload/execute code on a remote host.

The exploit was tested on Windows and as far as I know it will only work
on windows.. It will not work on *nix because of file permissions.

Upload Lite 3.22 from PerlScriptsJavaScripts.com
"The ultimate free uploader with admin specified restrictions on file
types and sizes"

How to exploit:

Using a form with 2 fields such as:

--------------------------------

<form action="http://www.example.com/cgi-bin/upload.cgi" method="post"
enctype="multipart/form-data">
File 1, Same filename as file2<br>
<input type="File" name="FILE1"><br>
File 2, The code you plan to execute, with same filename as
file1<br><input type="File" name="FILE2"><br>
<input type="Submit" value="Submit"></p>
</form>

--------------------------------

By uploading 2 of the same file (with the same filename - this is
important, any size, even above the maximum limit) the first temporary
file that gets created when the files are being uploaded gets deleted, the
second temporary file does not get deleted, this is the file that may
contain malicious code.

The temporary file is saved as CGItemp<random number>

To find the file you've uploaded you could write a program to count up and
append the number to the filename "CGItemp". There may be other incomplete
files, but you will eventually find the file you're looking for..

After the temporary file has been found the attacker could then access the
file that he/she has uploaded and the host could then be taken over by
using a backdoor cgi script, etc... (use your imagination).

You must also spoof the referring URL in the http header so that the
script thinks you're uploading from the site you're supposed to be
uploading from.

Any host running this script is a potential target. I would recommend not
using this script until a patch or new version is released.

Example of script to be run on host:

--------------------------------

#!C:\Perl\Bin\Perl.exe

print ("Content-Type: text/html\n\nUh Oh! It works!\n");

--------------------------------

Of course somebody could use malicious code very easily... but i'm not
going to give out code which could be used in a bad way. :-)

If you have any questions or comments please feel free to contact me.

----------
Saturday, March 8, 2003

-Sil
http://www.silenttech.com
e-mail: sil@linuxquestions.net

• Previous message: Claes Nyberg: "OpenBSD lprm(1) exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]