Re: 72% of web base ping scripts allows attackers to pass malicious parameters

From: okrehelat_private
Date: Mon Jun 03 2002 - 06:12:57 PDT

  • Next message: Jacek Lach: "Re: Buffer Overflow with all versions of Internet Explorer and Javacript."

    I also want to know, if the firewall has ICMP open in/out (it means that
    you can ping an internal host
    by conduit in firewall - NAT) if there is a way bypass by something to web
    server, could
    be Unicode bug, Transversal bug etc... I have seen firewalls on internet
    and they allow ping inside
    the network.
    Thank you.
    
    Ondrej
    
    
    
    
                                                                                                                                           
                          "John Thornton"                                                                                                  
                          <news@hackersdige        To:       <vuln-devat_private>                                                  
                          st.com>                  cc:                                                                                     
                                                   Subject:  72% of web base ping scripts allows attackers to pass malicious parameters    
                          06/01/2002 12:37                                                                                                 
                          AM                                                                                                               
                                                                                                                                           
                                                                                                                                           
    
    
    
    
    I started to look into web sites that allows anyone to ping a host via web.
    I wanted to see if any of these scripts would allow me to execute a '|' so
    I
    could run commands of my choice on their server. Almost all of them pass
    this test however I was shocked to see how many allowed me to pass
    parameters to the ping program itself.
    
    Doing a search on google for 'ping.asp' ( For some reason url:ping.asp
    yields no results ) I started to go down the list and would test each
    script
    by putting '127.0.0.1 -l' for a host. If the script returned 'Value must be
    supplied for option -l.' I know that anyone could use this server for a
    DDOS
    attack. For example 'victim.com -l 65500 -t' would send very large icmp
    packets to the victim until the Network Administrator notice that his
    server
    was ping flooding someone.
    
    Of all the scripts tested a very frightening 72% allow me to pass
    parameters
    that would allow anyone to use it for a DDOS. Most of the servers that host
    these scripts are isp's and universities that are sitting on large pipes to
    the internet. The real threat is that there is no vender to alert. Most of
    these scripts are custom developed. I have informed the administrators of
    the vulnerable scripts that I have found but there are thousands out there.
    
    -John Thornton
    Editor in Chief
    Hacker's Digest Magazine
    http://www.hackersdigest.com
    



    This archive was generated by hypermail 2b30 : Mon Jun 03 2002 - 09:21:08 PDT