Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: unix5461.htm

Penguin Traceroute remote command execution
18th Jun 2002 [SBWID-5461]

	Penguin Traceroute remote command execution




	Marco van Berkum [] posted following, regarding a  web
	interface for traceroute, Penguin Traceroute:

	As I was surfing through some older Securityfocus  archives  I  stumbled
	across the article about Penguin traceroute v1.0



	This article described some metacharacter bugs in this CGI script,  also
	it included a suggested fix.





	   Open up the perl script in your favorite text editor, find a line that has

	   \"$host = $q->param(\'host\');\" Its usually the 13th line down then just add

	   this line \"$host =~ s/[;<>\\*\\|\'&\\$!?#\\(\\)\\[\\]\\{\\}:\'\"\\\\]//g;\" under it and

	   that should parse out any unwanted characters.




	Well, yes, it does parse out some  metacharacters,  but,  the  \"  `  \"
	(backtick) is not filtered out in any way.  (probably  one  of  the  two
	quotes \" \' \" should be a backtick). Also the  slash  and  the  hyphen
	are not filtered.




	entering `cat /etc/passwd` gives us:


	Taceroute to `cat /etc/passwd`

	traceroute: unknown host root:*:0:0:Charlie



	This is only the first line because only that one  gets  interpreted  by
	traceroute. But there are ways around this to  retreive  the  full  file
	with some patience:


	Taceroute to `wc -l /etc/passwd`

	traceroute to 18 (, 64 hops max, 40 byte packets



	So we see that in this case the passwd file is 18 lines  big.  we  could
	retreive the rest by doing tail -n 18 /etc/passwd ,  tail  -n  17  etc..


	replace the second quote by a backtick and add slash and hyphen  to  the


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH