|
Vulnerability alibaba Affected Those using Alibaba Description Kerb found following. He found newb bugs. Using specially formed URL's, he was able to list, view, create, delete, and/or execute any file he wanted. Here are a few examples: http://www.victim.com/cgi-bin/get32.exe|echo%20>c:\command.com allows to overwrite the command.com file. No explanation necessary there. Also, he was able to echo machine code bytes into a file, so the possiblity of a trojan enters the picture. If ona has FTP running, it wouldnt be much more than a trivial task to write a URL that copies the trojan binary into the CGI directory and point your browser at the trojan to execute it. Or even easier, just create a URL that will write the binary data of the trojan into an EXE right in the CGI directory. http://www.victim.com/cgi-bin/alibaba.pl|dir allows to have a directory listing of all files in CWD, which happens to be the CGI directory. This could be useful for a couple things. One, finding out the full path to the CGI directory, for using exploits such as the one listed before this one. Another would be to find files for overwriting (using the > operator) or executing. Another possible use would be to list all *.pwl in the windows directory. http://www.victim.com/cgi-bin/tst.bat|type%20c:\windows\win.ini This URL allows to view the entire contents of the c:\windows\win.ini file. No explanation necessary there. Kerb chosed those 3 CGI's (out of the 15 that came with his install) because they are of different types; an EXE, a PL, and a BAT. Basically the examples he used above are just ideas of what CAN be done. Solution Seems nothing will change.