iwadeOPTUSNET.COM.AU

• Next message: Ussr Labs: "Windows Api SHGetPathFromIDList Buffer Overflow"
• Previous message: Cassius: "Re: Fwd: CERT Advisory CA-2000-02"
• Next in thread: Iain Wade: "Re: "The Finger Server""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

Late last year I was tinkering w/ The Finger Server v0.82 and came
across some bugs which let you execute shell commands under the
privileges of the web server.

It's available at http://www.glazed.org/finger/

I sent a number of messages to the Author but never received a reply ..
I just remembered about it and checked it was still vulnerable and still
being used around the net. It is.

It's just another case of perl doing it's magic on an open() call.

I haven't by any means audited the code, so there is undoubtably other
problems, but here's the offending code I exploited:

    open (PLANS, "$plan_path$filename") ||
            do { print "Can't open $plan_path$filename: $!";
                 return;
               };

It is called with the following arguments;

finger.cgi?action=archives&cmd=specific&filename=99.10.28.15.23.username.plan

It does minimal checking before there, really only making sure the
username is valid, but for example by using:

finger.cgi?action=archives&cmd=specific&filename=99.10.28.15.23.username.|<shell
code>|

you can execute whatever ..

The server I was testing it on was running UBB, and I was easily able to
use this to grab a couple of thousand accounts since it stores them in
cleartext. (I promptly forgot those passwords .. it wouldn't be nice to
do otherwise right? :)

Regards,

--
Iain Wade
iwadeoptusnet.com.au

• Next message: Ussr Labs: "Windows Api SHGetPathFromIDList Buffer Overflow"
• Previous message: Cassius: "Re: Fwd: CERT Advisory CA-2000-02"
• Next in thread: Iain Wade: "Re: "The Finger Server""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]