|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
More Alibaba Web Server problems...
Kerb (kerb
FNUSA.COM)
Wed, 3 Nov 1999 17:19:22 -0600
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Ussr Labs: "Remote DoS Attack in BFTelnet Server v1.1 for Windows NT"
- Previous message: dark spyrit: "RealNetworks RealServer G2 buffer overflow."
- Next in thread: Thomas Dullien: "Re: More Alibaba Web Server problems..."
- Reply: Thomas Dullien: "Re: More Alibaba Web Server problems..."
Hello BugTraq'ers. I've yet to get around to writing the exploit for
Alibaba that was previously described, but I have found new
bugs. Using specially formed URL's, I was able to list,
view, create, delete, and/or execute any file I wanted.
Here are a few examples:
http://www.victim.com/cgi-bin/get32.exe|echo%20>c:\command.com
allowed me to overwrite the command.com file. No explanation
necessary there. Also, I was able to echo machine code bytes into
a file, so the possiblity of a trojan enters the picture. If they had FTP
running, I guess it wouldnt be much more than a trivial task to write
a URL that copies the trojan binary into the CGI directory and point
your browser at the trojan to execute it. Or even easier, just create
a URL that will write the binary data of the trojan into an EXE right
in the CGI directory.
http://www.victim.com/cgi-bin/alibaba.pl|dir
allowed me to have a directory listing of all files in CWD, which happens to be
the CGI
directory. This could be useful for a couple things. One, finding out the
full path to
the CGI directory, for using exploits such as the one listed before this one.
Another
would be to find files for overwriting (using the > operator) or executing.
Another
possible use would be to list all *.pwl in the windows directory.
http://www.victim.com/cgi-bin/tst.bat|type%20c:\windows\win.ini
This URL allowed me to view the entire contents of the c:\windows\win.ini file.
No explanation necessary there.
I chose those 3 CGI's (out of the 15 that came with my install) because they
are of different types; an EXE, a PL, and a BAT. Basically the examples I
used above are just ideas of what CAN be done.
BTW, I didnt bother to notify Alibaba, as this "is freeware"
so they "don't offer any support" as I believe it was worded.
-Kerb-
- Next message: Ussr Labs: "Remote DoS Attack in BFTelnet Server v1.1 for Windows NT"
- Previous message: dark spyrit: "RealNetworks RealServer G2 buffer overflow."
- Next in thread: Thomas Dullien: "Re: More Alibaba Web Server problems..."
- Reply: Thomas Dullien: "Re: More Alibaba Web Server problems..."
This archive was generated by hypermail 2.0b3 on Thu Nov 04 1999 - 12:01:54 CST