Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: bt1306.txt

Gast Arbeiter Privilege Escalation CGI:





-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ------------------------------------------------------------
NATOK security labs                            natok at hush.com
October 20st, 2003                          Privilege Escalation
- - - ------------------------------------------------------------

- - - Overview

  Software      : Gast Arbeiter <= 1.3
  Vendor        : Petr Bartels <petr.bartels@gmx.net>
  Vulnerability : Privilege Escalation
  Status        : Author has been notified
  Type          : Remote

- - - Description

   NATOK security labs discovered a security hole in the instant
   messaging tool Gast Arbeiter written by the polnish software
   engineer Petr Bartels.

   By sending a special crafted message we are able to write to
   any file which may lead to privilege escalation.

- - - Probleme Description

   Gast Arbeiter is an instant messaging tool written in Perl
   that allows people from all around the world to chat with
   each other. The project is maintained by Peter Bartels.

   According to the official website the software has been
   downloaded over five thousand times.

   Gast Arbeiter includes a feature to upload individual files
   via a CGI interface. Due to insufficient checkings we are
   able to write to any file.

- - - Technical Description

   The following vulnerability is present in Gastarbeiter < 1.3

   # Fetching Cgi Params
   $exch_file = "$DATA_DIR/incoming/" . $cgi->param('req_file');

   # Writing Data
   open(FH, "> $exch_file") or die("can't write file: $!");
   print FH $cgi->param('body');
   close(FH);

   This vulnerability allows the attacker to write any file on
   the remote host.

- - - Exploit

   No Public Exploit. Please contact me to get your version.

- - - Patch

   Please change the source code:

   $tmp = $cgi->param('req_file');
   $tmp =~ s/\.\.//g;

   $exch_file = "$DATA_DIR/incoming/" . $tmp;

- - - Greets

   ... to the Legion of Dotness - my Family!
   ... to Gadu Gadu - my Religion!
   ... to Poland - my Country!

    ________________________________
   /                                /|
  /--------------------------------/ |
  |  ##  # #### #####  ##  # #     | |
  |  # # # #  #   #   #  # ##      | |
  |  #  ## ####   #   #  # # #     | |
  |  #   # #  #   #    ##  #  #    | |
  |________________________________|/

    contact: r00t@natok.de


-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj+UXKoACgkQK+B0NVtqTQPnuQCfZk3AH/RqTxtjb78jqUDfZ9DuYHcA
n1mZlv2gYgTAj8qGn+acsyhZDh8m
=xcue
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH