hi, there is still several security holes in the nlog cgi scripts that allow arbitary execution of commands.. one such vulnerability is here in rpc-nlog.pl: $ipaddr = $ENV{'QUERY_STRING'}; $ipaddr =~ s/\n//g; $ipaddr =~ s/\`//g; $ipaddr =~ s/\'//g; $ipaddr =~ s/\|//g; $ipaddr =~ s/\"//g; $ipaddr =~ s/\<//g; $ipaddr =~ s/\>//g; $rpcdata = `$rpcinfo -p $ipaddr`; this is insufficient checking as it does not include ; and / for example, so a user can put in a command separator and execute commands that way.. duke > > n l o g - nmap 2.x log management and analyzer toolkit > ---------------------------------------------------------------------------- > -- > > Download and Live Demo at: http://owned.commotion.org/~spinux > > >From the README: > ---------------------------- > > NLog is a set of PERL scripts for managing and analyzing your nmap 2.0+ log > files. It allows you to keep all of your scan logs in a single searchable > database. The CGI interface for viewing your scan logs is completly > customizable and easy to modify and improve. The core CGI script allows you > to add your own extension scripts for different services, so all hosts with > a certain service running will have a hyperlink to the extension script. > > An Overview: > ------------------ > > Basically this is a multi-purpose web-based nmap log browser. The extension > scripts allow you to get detailed information about specific services like > netbios, the RPC services, the finger service, and BIND version of a DNS > server. It is extremely easy to create your own extensions for things like > a snmpwalk wrapper, a popper vulnerablility check, etc. > > Nlog provides a standard database format to build your own scripts for any > purpose. Whether to provide a graphical representation of a network or as a > web based service gateway to an internal network. Included are the example > CGI scripts, the nmap log to database conversion tool, a sample template for > building your own PERL scripts, and couple extra scripts for dumping IP's > from a domain and the like. > > A possible use of nlog is for a network administrator who scans his local > network regularly, to make sure none of the machines are listening on wierd > ports and that they all are running the services they should be. A cron > script could scan his internal network, convert the log files to the > database format and store them on a web server by time or date. The > adminstrator could then load the nlog search form page preferably protected > by the normal http authentication methods and run comparisons between > databases collected on different dates or at different times from anywhere. > If the web server is on a gateway machine, he could run RPC or finger > requests on the internal hosts through the CGI interface thus removing his > need to be on the possibly firewalled or masqued network to check a hosts > status. > > This code is being released under no type of copyright. I only ask that if > you are to use this in a commercial product, give me credit for the work > I've done. > > --HD
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:20 PDT