[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: LB5000 Cookie filter vulnerability
From: Chen Jun <chenjun () netguard ! com ! cn>
Date: 2001-10-30 6:56:55
[Download RAW message or body]
---------------------------------------------------------------------------
LB5000 Cookie filter vulnerability
---------------------------------------------------------------------------
Release infomation
------------------
Found Date: 2001-9-03
Release Date: 2001-10-30
Author: chenjun@netguard.com.cn
Homepage: http://www.netguard.com.cn
Description
-----------
LB5000 is a web bbs program written by perl, It's widely use in Chinese. The \
program contained a vulnerability, Remote attacker can exploit it and get a bbs \
administrator's privilege. In some environment, attacker may gain a nobody shell or \
gain the machine's privilege.
Version and Platform
--------------------
Affected Version: LB5000II v1029 and all older version
Affected Platform: Windows,Linux, Solaris sparc, Solaris x86, AIX, HP, Digital, IRIX, \
SCO etc.
Details
-------
File:Search.cgi
---[L.59-60]---
$inmembername = $query->cookie("amembernamecookie");
$filename = $inmembername;
---
As we can see, $inmembername is the get for cookie 'amembernamecookie'
---[L.71-]---
$searchfilename = "$lbdir" . "search/$filename";
---
---[L.134-140]---
open (SEARCH, ">$searchfilename") or die "²»Äܹ»±£´æµ½ search Ä¿ ¼£¬ÇëÉèÖôËÄ¿ \
¼Îª 777 £¡"; print SEARCH "$CUR_TIME\n";
print SEARCH "$SEARCH_STRING\n";
print SEARCH "$TYPE_OF_SEARCH\n";
print SEARCH "$REFINE_SEARCH\n";
print SEARCH "$FORUMS_TO_SEARCH\n";
close (SEARCH);
---
---
Well, it sets the file, runs it through the filter and opens it.
-> $cookie("amembernamecookie");, remember?! ;)
Here the variable $filename come from Cookie amembernamecookie not filter "..", \
attacker can sent a fake cookie("amembernamecookie"), set up or edit the file on the \
system, because the write file variable not filter, so the attacker can write any \
content to the file, and gain the bbs administrator's privilege.
On UNIX like system, if you system is php enable, you can use the upload function, \
upload a php script to run command.
On Windows system, because it's weakness of runing perl script, attacker can use this \
vulnerability set up a perl script to run command.
Prove-Of-Concept exploit
------------------------
wait for vendor fix it first ;)
Workaround
----------
1.about the Cookie
at file Search.cgi before line 60 $filename = $inmembername;
add below:
$inmembername =~ s/\///g;
$inmembername =~ s/\.\.//g;
2.filter all write file variable
Vendor information
------------------
Vendor was informed at 2001-10-29
Vendor Homepage: http://www.leoboard.com
About Netguard
--------------
China Net Security Technology Corporation (CNTC) is a leading provider of computer \
network and information security services in China.
Copyright 2001 http://www.netguard.com.cn, All rights reserved.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic