SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   BannerWheel Vendors:   Command-O Software
BannerWheel CGI-based Banner Display Management Software Buffer Overflows May Let Remote Users Execute Arbitrary Code Via the Management Interface
SecurityTracker Alert ID:  1004334
SecurityTracker URL:  http://securitytracker.com/id/1004334
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 21 2002
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.0
Description:   A buffer overflow vulnerability was reported in the BannerWheel banner display management software. It may be possible to execute arbitrary code, but that has not been confirmed.

It is reported that some of the C source code modules for the BannerWheel CGI product contain buffer overflows. In particular, the banner administration modeul ('badmin.c' file) contains some of these flaws.

A demonstration exploit transcript is provided:

[capzlock@signal-11 ~/hack/the/planet]$ ./badmin
bwe(input): "command" ? kill.the.turkey
bwe(input): "rcmd" ? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
bwe(input): "flag" ? kill.the.turkey
Segmentation fault

Impact:   It may be possible for a remote user to execute arbitrary code on the system with the privileges of the web server, however the report does not specifically confirm this.
Solution:   No solution was available at the time of this entry.

[Editor's note: It is not clear if the more recent version v2.02 contains these flaws or not.]

Vendor URL:  www.command-o.com/products/bannerwheel/features.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  CAPZLOCK SECURITY ADVISORY NO. 1


--Hush_boundary-3ce9084cb9e5a
Content-type: text/plain

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- ------------------------------------------------------------| capzlock |
- ---------------------------------------------| security advisory no. 1 |

- -----------------------------------------------------------------------
CONFIDENTIAL INFORMATION - PLEASE DISTRIBUTE - CONFIDENTIAL INFORMATION
- -----------------------------------------------------------------------

|---------------------------------------------------------------------|
|            "I am become Death, the destroyer of worlds."            |
|                                             - J. Robert Oppenheimer |
|---------------------------------------------------------------------|


#ifdef __ELITE_HACKER

[antiNSA@anti.security.is ~/.private]# ls -al

- -rw-r-----    1 antiNSA    0day    21023911 May  9 01:22 why_capzlock_ownz_me.txt
- -rw-r-----    1 antiNSA    0day      119511 May  2 22:09 12yroldboy.jpg
- -rw-r-----    1 antiNSA    0day       16506 Apr  1 22:04 fatherandson.jpg
- -rw-r-----    1 antiNSA    0day        4399 May  7 22:04 backdoor.com.passwordz.txt
- -rw-r-----    1 antiNSA    0day        5619 Jan  4 22:09 codered.c

#endif /* __ELITE_HACKER */


This advisory is dedicated to the many hard-working penetrators
in the security industry. And, to the underground hackers that seek
fame and profit, their undying thirst for knowledge is a true
inspiration to us all.

This advisory is being leaked to the security mailing lists in
TESO fashion. Hi security freinds!

- -----------------------------------------------------------------------

[PRODUCT]: BannerWheel v1.0

BannerWheel is a free script for displaying banner ads in a random
fashion. Users can set the probability of displaying each banner. This
script also keeps track of the number of times each banner is
displayed.

The script is intended for UNIX-based systems.

- -----------------------------------------------------------------------

[PROBLEM]:

There are bufferoverflow vulneribilities in tha C source code of the
CGI package. Particularly, in badmin.c porshion.

[snip]-----------------------------------------------------------------

[capzlock@signal-11 ~/hack/the/planet]$ gcc badmin.c -o badmin.cgi -lcrypt
[capzlock@signal-11 ~/hack/the/planet]$ ./badmin
bwe(input): "command" ? kill.the.turkey
bwe(input): "rcmd" ? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
bwe(input): "flag" ? kill.the.turkey
Segmentation fault
[capzlock@signal-11 ~/hack/the/planet]$

[snap]-----------------------------------------------------------------

This am very serious whole that could jeperdize the security of a
digital computer system.

- -----------------------------------------------------------------------

TOODLES!@#$%!

capzlock
- -------------------------
http://www.signal-11.com
capzlock@hushmail.com



Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
HushMail Secure Email http://www.hushmail.com/
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wl0EARECAB0FAjzpCFEWHGNhcHpsb2NrQGh1c2htYWlsLmNvbQAKCRBePYmP9gNNOGSq
AKCc+mxqQUvSAJdBzletqsh6bPLBWgCgg16ans4tht9mw+u2jChcjjktjQY=
=q4Fz
-----END PGP SIGNATURE-----

--Hush_boundary-3ce9084cb9e5a
Content-type: text/plain; name="capzlock-1.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="capzlock-1.txt"

LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tfCBjYXB6bG9jayB8DQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS18IHNlY3VyaXR5IGFkdmlzb3J5IG5vLiAxIHwNCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCkNPTkZJ
REVOVElBTCBJTkZPUk1BVElPTiAtIFBMRUFTRSBESVNUUklCVVRFIC0gQ09ORklERU5USUFMIElO
Rk9STUFUSU9ODQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KDQp8LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tfA0KfCAgICAgICAgICAg
ICJJIGFtIGJlY29tZSBEZWF0aCwgdGhlIGRlc3Ryb3llciBvZiB3b3JsZHMuIiAgICAgICAgICAg
IHwNCnwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtIEouIFJv
YmVydCBPcHBlbmhlaW1lciB8DQp8LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tfA0KDQoNCiNpZmRlZiBfX0VMSVRFX0hB
Q0tFUg0KDQpbYW50aU5TQUBhbnRpLnNlY3VyaXR5LmlzIH4vLnByaXZhdGVdIyBscyAtYWwNCg0K
LXJ3LXItLS0tLSAgICAxIGFudGlOU0EgICAgMGRheSAgICAyMTAyMzkxMSBNYXkgIDkgMDE6MjIg
d2h5X2NhcHpsb2NrX293bnpfbWUudHh0DQotcnctci0tLS0tICAgIDEgYW50aU5TQSAgICAwZGF5
ICAgICAgMTE5NTExIE1heSAgMiAyMjowOSAxMnlyb2xkYm95LmpwZw0KLXJ3LXItLS0tLSAgICAx
IGFudGlOU0EgICAgMGRheSAgICAgICAxNjUwNiBBcHIgIDEgMjI6MDQgZmF0aGVyYW5kc29uLmpw
Zw0KLXJ3LXItLS0tLSAgICAxIGFudGlOU0EgICAgMGRheSAgICAgICAgNDM5OSBNYXkgIDcgMjI6
MDQgYmFja2Rvb3IuY29tLnBhc3N3b3Jkei50eHQNCi1ydy1yLS0tLS0gICAgMSBhbnRpTlNBICAg
IDBkYXkgICAgICAgIDU2MTkgSmFuICA0IDIyOjA5IGNvZGVyZWQuYw0KDQojZW5kaWYgLyogX19F
TElURV9IQUNLRVIgKi8NCg0KDQpUaGlzIGFkdmlzb3J5IGlzIGRlZGljYXRlZCB0byB0aGUgbWFu
eSBoYXJkLXdvcmtpbmcgcGVuZXRyYXRvcnMNCmluIHRoZSBzZWN1cml0eSBpbmR1c3RyeS4gQW5k
LCB0byB0aGUgdW5kZXJncm91bmQgaGFja2VycyB0aGF0IHNlZWsNCmZhbWUgYW5kIHByb2ZpdCwg
dGhlaXIgdW5keWluZyB0aGlyc3QgZm9yIGtub3dsZWRnZSBpcyBhIHRydWUNCmluc3BpcmF0aW9u
IHRvIHVzIGFsbC4NCg0KVGhpcyBhZHZpc29yeSBpcyBiZWluZyBsZWFrZWQgdG8gdGhlIHNlY3Vy
aXR5IG1haWxpbmcgbGlzdHMgaW4NClRFU08gZmFzaGlvbi4gSGkgc2VjdXJpdHkgZnJlaW5kcyEN
Cg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0NCg0KW1BST0RVQ1RdOiBCYW5uZXJXaGVlbCB2MS4wDQogIA0KQmFu
bmVyV2hlZWwgaXMgYSBmcmVlIHNjcmlwdCBmb3IgZGlzcGxheWluZyBiYW5uZXIgYWRzIGluIGEg
cmFuZG9tDQpmYXNoaW9uLiBVc2VycyBjYW4gc2V0IHRoZSBwcm9iYWJpbGl0eSBvZiBkaXNwbGF5
aW5nIGVhY2ggYmFubmVyLiBUaGlzDQpzY3JpcHQgYWxzbyBrZWVwcyB0cmFjayBvZiB0aGUgbnVt
YmVyIG9mIHRpbWVzIGVhY2ggYmFubmVyIGlzDQpkaXNwbGF5ZWQuDQoNClRoZSBzY3JpcHQgaXMg
aW50ZW5kZWQgZm9yIFVOSVgtYmFzZWQgc3lzdGVtcy4NCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCg0KW1BS
T0JMRU1dOg0KDQpUaGVyZSBhcmUgYnVmZmVyb3ZlcmZsb3cgdnVsbmVyaWJpbGl0aWVzIGluIHRo
YSBDIHNvdXJjZSBjb2RlIG9mIHRoZQ0KQ0dJIHBhY2thZ2UuIFBhcnRpY3VsYXJseSwgaW4gYmFk
bWluLmMgcG9yc2hpb24uDQoNCltzbmlwXS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQoNCltjYXB6bG9ja0BzaWduYWwtMTEg
fi9oYWNrL3RoZS9wbGFuZXRdJCBnY2MgYmFkbWluLmMgLW8gYmFkbWluLmNnaSAtbGNyeXB0DQpb
Y2FwemxvY2tAc2lnbmFsLTExIH4vaGFjay90aGUvcGxhbmV0XSQgLi9iYWRtaW4NCmJ3ZShpbnB1
dCk6ICJjb21tYW5kIiA/IGtpbGwudGhlLnR1cmtleQ0KYndlKGlucHV0KTogInJjbWQiID8gQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBDQpBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUENCkFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQQ0KQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBDQpBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQ0KYndlKGlucHV0KTog
ImZsYWciID8ga2lsbC50aGUudHVya2V5DQpTZWdtZW50YXRpb24gZmF1bHQNCltjYXB6bG9ja0Bz
aWduYWwtMTEgfi9oYWNrL3RoZS9wbGFuZXRdJA0KDQpbc25hcF0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KDQpUaGlzIGFt
IHZlcnkgc2VyaW91cyB3aG9sZSB0aGF0IGNvdWxkIGplcGVyZGl6ZSB0aGUgc2VjdXJpdHkgb2Yg
YQ0KZGlnaXRhbCBjb21wdXRlciBzeXN0ZW0uDQoNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQoNClRPT0RMRVMh
QCMkJSENCg0KY2FwemxvY2sNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCmh0dHA6Ly93d3cu
c2lnbmFsLTExLmNvbQ0KY2FwemxvY2tAaHVzaG1haWwuY29tDQoNCg==
--Hush_boundary-3ce9084cb9e5a
Content-type: text/plain; name="capzlock-1.txt.sig"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="capzlock-1.txt.sig"

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0NClZlcnNpb246IEh1c2ggMi4xDQpOb3RlOiBU
aGlzIHNpZ25hdHVyZSBjYW4gYmUgdmVyaWZpZWQgYXQgaHR0cHM6Ly93d3cuaHVzaHRvb2xzLmNv
bQ0KDQp3ajhEQlFFODZRaEVYajJKai9ZRFRUZ1JBbWxJQUo5ZUpNY004bUN4NFZwR2ZMNXFNUWsv
dllXaDNBQ2RFMUcxNThrLw0KRnZuRW1XdTFMU0FyZVVadkJ0Zz0NCj15amdMDQotLS0tLUVORCBQ
R1AgU0lHTkFUVVJFLS0tLS0NCg==
--Hush_boundary-3ce9084cb9e5a--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC