Hello BugTraq'ers. I've yet to get around to writing the exploit for Alibaba that was previously described, but I have found new bugs. Using specially formed URL's, I was able to list, view, create, delete, and/or execute any file I wanted. Here are a few examples: http://www.victim.com/cgi-bin/get32.exe|echo%20>c:\command.com allowed me to overwrite the command.com file. No explanation necessary there. Also, I was able to echo machine code bytes into a file, so the possiblity of a trojan enters the picture. If they had FTP running, I guess it wouldnt be much more than a trivial task to write a URL that copies the trojan binary into the CGI directory and point your browser at the trojan to execute it. Or even easier, just create a URL that will write the binary data of the trojan into an EXE right in the CGI directory. http://www.victim.com/cgi-bin/alibaba.pl|dir allowed me to have a directory listing of all files in CWD, which happens to be the CGI directory. This could be useful for a couple things. One, finding out the full path to the CGI directory, for using exploits such as the one listed before this one. Another would be to find files for overwriting (using the > operator) or executing. Another possible use would be to list all *.pwl in the windows directory. http://www.victim.com/cgi-bin/tst.bat|type%20c:\windows\win.ini This URL allowed me to view the entire contents of the c:\windows\win.ini file. No explanation necessary there. I chose those 3 CGI's (out of the 15 that came with my install) because they are of different types; an EXE, a PL, and a BAT. Basically the examples I used above are just ideas of what CAN be done. BTW, I didnt bother to notify Alibaba, as this "is freeware" so they "don't offer any support" as I believe it was worded. -Kerb-
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:37 PDT