Hello, Late last year I was tinkering w/ The Finger Server v0.82 and came across some bugs which let you execute shell commands under the privileges of the web server. It's available at http://www.glazed.org/finger/ I sent a number of messages to the Author but never received a reply .. I just remembered about it and checked it was still vulnerable and still being used around the net. It is. It's just another case of perl doing it's magic on an open() call. I haven't by any means audited the code, so there is undoubtably other problems, but here's the offending code I exploited: open (PLANS, "$plan_path$filename") || do { print "Can't open $plan_path$filename: $!"; return; }; It is called with the following arguments; finger.cgi?action=archives&cmd=specific&filename=99.10.28.15.23.username.plan It does minimal checking before there, really only making sure the username is valid, but for example by using: finger.cgi?action=archives&cmd=specific&filename=99.10.28.15.23.username.|<shell code>| you can execute whatever .. The server I was testing it on was running UBB, and I was easily able to use this to grab a couple of thousand accounts since it stores them in cleartext. (I promptly forgot those passwords .. it wouldn't be nice to do otherwise right? :) Regards, -- Iain Wade iwadeat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:37 PDT