Bugtraq mailing list archives

buggy msql again (v2.0.11)

From: gdn () NEUROCOM COM (gregory duchemin)
Date: Fri, 3 Sep 1999 16:02:25 -0000


hi,

i have just installed the evaluation version of the last 
w3-msql release (2.0.11) with its new security mechanism.
There is effectively this new option "Force_Suffix" in 
msql.conf that force msql server to take its documents 
inside its private root instead of server's one.

The cgi is actually still vulnerable because of numerous 
lacks in sources (take a look at storeArgs() in w3-msql.c). 
It's possible with a buffer overflow attack to gain web 
server priviledge and modify remotly  server content.

test it:

www.victim.com is the target site.

http://www.victim.com/cgi-bin/w3-msql/AAAAAAAAA.......AAAAA

with about a 200 chars length filename, the server response 
is "Internal Server Error" and the cgi produce a core file.
With a carrefully forged string including code instructions, 
it's possible to force remote server to execute arbitrary 
code.

i'm going to write an exploit.

Have a nice day

-------
Gregory Duchemin - gdn () neurocom com 
Security Engineer
NEUROCOM                            http://www.neurocom.com/ 
179/181 avenue Charles de Gaulle 92200 Neuilly Sur Seine 
Tel: 01.41.43.84.84                  Fax: 01.41.43.84.80

Current thread:

RH 6.0 shadowed users and user lock bug fix Prince Ctrl (Aug 30)
- Re: RH 6.0 shadowed users and user lock bug fix Mihai Ibanescu (Sep 02)
- buggy msql again (v2.0.11) gregory duchemin (Sep 03)
- DOS in Backup Exec Agent Mike Owen (Sep 03)