[1341] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] phf & Bash exploit

daemon@ATHENA.MIT.EDU (zeed)
Sat Dec 7 19:14:28 1996

Date: Fri, 6 Dec 1996 21:42:39 -0500 (EST)
From: zeed <zeed@inch.com>
Reply-To: zeed <zeed@inch.com>
To: linux-security@redhat.com
Resent-From: linux-security@redhat.com

This is probably fairly well known, I found it by accident while reading
about the 0xFF command sperator in older version of bash shell.

The newer phf cgi that comes with some versions of picasso and rembrant
have been patched for the obvious 0x0A newline escape, but can still be
escaped using 0xFF.

It takes vulnerabilites in both phf and bash for it to work.

I have tested this very successfully on many linux machines. I would
imagine that most people are aware of the 0x0A escape and so when they
test it on their own box they think they are safe from phf exploitation.

The syntax for the exploit is almost identical to the older phf exploit.

To execute commands: (cat /etc/passwd)
http://server.net/cgi-bin/phf?Qalias=%ffcat%20/etc/passwd

I know this exploit isn't only confided to linux, but it seems its easiest
to exploit on linux.

If everybody is aware of this, excuse me.
It's just that I dont think enough admins are aware of this, and they are
leaving their networks very open for exploitation.

Zeed 

[mod: Yes this is old, boring stuff. The "new" thing in this post is 
that there are still lots of sites vulnerable to this attack. Welllll,
maybe that's no news either. Maybe I was too lasy to write a rejection
notice -- REW :-]

(DY)


home help back first fref pref prev next nref lref last post