Gast Arbeiter Privilege Escalation

natok_at_hush.com
Date: 10/21/03

  • Next message: Thor Larholm: "RE: IE remote code execution"
    Date: Mon, 20 Oct 2003 15:07:37 -0700
    To: bugtraq@securityfocus.com, vuln-dev@securityfocus.com, vulnwatch@vulnwatch.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - - - ------------------------------------------------------------
    NATOK security labs natok at hush.com
    October 20st, 2003 Privilege Escalation
    - - - ------------------------------------------------------------

    - - - Overview

      Software : Gast Arbeiter <= 1.3
      Vendor : Petr Bartels <petr.bartels@gmx.net>
      Vulnerability : Privilege Escalation
      Status : Author has been notified
      Type : Remote

    - - - Description

       NATOK security labs discovered a security hole in the instant
       messaging tool Gast Arbeiter written by the polnish software
       engineer Petr Bartels.

       By sending a special crafted message we are able to write to
       any file which may lead to privilege escalation.

    - - - Probleme Description

       Gast Arbeiter is an instant messaging tool written in Perl
       that allows people from all around the world to chat with
       each other. The project is maintained by Peter Bartels.

       According to the official website the software has been
       downloaded over five thousand times.

       Gast Arbeiter includes a feature to upload individual files
       via a CGI interface. Due to insufficient checkings we are
       able to write to any file.

    - - - Technical Description

       The following vulnerability is present in Gastarbeiter < 1.3

       # Fetching Cgi Params
       $exch_file = "$DATA_DIR/incoming/" . $cgi->param('req_file');

       # Writing Data
       open(FH, "> $exch_file") or die("can't write file: $!");
       print FH $cgi->param('body');
       close(FH);

       This vulnerability allows the attacker to write any file on
       the remote host.

    - - - Exploit

       No Public Exploit. Please contact me to get your version.

    - - - Patch

       Please change the source code:

       $tmp = $cgi->param('req_file');
       $tmp =~ s/\.\.//g;

       $exch_file = "$DATA_DIR/incoming/" . $tmp;

    - - - Greets

       ... to the Legion of Dotness - my Family!
       ... to Gadu Gadu - my Religion!
       ... to Poland - my Country!

        ________________________________
       / /|
      /--------------------------------/ |
      | ## # #### ##### ## # # | |
      | # # # # # # # # ## | |
      | # ## #### # # # # # | |
      | # # # # # ## # # | |
      |________________________________|/

        contact: r00t@natok.de

    -----BEGIN PGP SIGNATURE-----
    Note: This signature can be verified at https://www.hushtools.com/verify
    Version: Hush 2.3

    wkYEARECAAYFAj+UXKoACgkQK+B0NVtqTQPnuQCfZk3AH/RqTxtjb78jqUDfZ9DuYHcA
    n1mZlv2gYgTAj8qGn+acsyhZDh8m
    =xcue
    -----END PGP SIGNATURE-----

    Concerned about your privacy? Follow this link to get
    FREE encrypted email: https://www.hushmail.com/?l=2

    Free, ultra-private instant messaging with Hush Messenger
    https://www.hushmail.com/services.php?subloc=messenger&l=434

    Promote security and make money with the Hushmail Affiliate Program:
    https://www.hushmail.com/about.php?subloc=affiliate&l=427


  • Next message: Thor Larholm: "RE: IE remote code execution"