Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

LB5000 Cookie filter vulnerability

From: Chen Jun <chenjun () netguard com cn>
Date: Tue, 30 Oct 2001 14:56:55 +0800
---------------------------------------------------------------------------
LB5000 Cookie filter vulnerability
---------------------------------------------------------------------------

Release infomation
------------------

Found   Date: 2001-9-03 
Release Date: 2001-10-30
Author: chenjun () netguard com cn
Homepage: http://www.netguard.com.cn


Description
-----------

   LB5000 is a web bbs program written by perl, It's widely use in Chinese. The program contained a vulnerability, 
Remote attacker can exploit it and get a bbs administrator's privilege. In some environment, attacker may gain a nobody 
shell or gain the machine's privilege. 
   

Version and Platform
--------------------

Affected  Version: LB5000II v1029 and all older version
Affected Platform: Windows,Linux, Solaris sparc, Solaris x86, AIX, HP, Digital, IRIX, SCO etc.


Details
-------

File:Search.cgi
---[L.59-60]---
$inmembername     = $query->cookie("amembernamecookie");
$filename = $inmembername;
---
As we can see, $inmembername is the get for cookie 'amembernamecookie'
---[L.71-]---
$searchfilename = "$lbdir" . "search/$filename";
---
---[L.134-140]---
    open (SEARCH, ">$searchfilename") or die "不能够保存到 search 目录,请设置此目录为 777 !";
    print SEARCH "$CUR_TIME\n";
    print SEARCH "$SEARCH_STRING\n";
    print SEARCH "$TYPE_OF_SEARCH\n";
    print SEARCH "$REFINE_SEARCH\n";
    print SEARCH "$FORUMS_TO_SEARCH\n";
    close (SEARCH);
---
---
Well, it sets the file, runs it through the filter and opens it.
-> $cookie("amembernamecookie");, remember?! ;)

Here the variable $filename come from Cookie amembernamecookie not filter "..", attacker can sent a fake 
cookie("amembernamecookie"), set up or edit the file on the system, because the write file variable not filter, so the 
attacker can write any content to the file, and gain the bbs administrator's privilege.

On UNIX like system, if you system is php enable, you can use the upload function, upload a php script to run command.

On Windows system, because it's weakness of runing perl script, attacker can use this vulnerability set up a perl 
script to run command.

Prove-Of-Concept exploit
------------------------

wait for vendor fix it first ;)

Workaround
----------

1.about the Cookie
at file Search.cgi before line 60 $filename = $inmembername;
add below:
$inmembername =~ s/\///g;
$inmembername =~ s/\.\.//g;

2.filter all write file variable 

Vendor information
------------------

Vendor was informed at 2001-10-29
Vendor Homepage: http://www.leoboard.com


About Netguard
--------------

China Net Security Technology Corporation (CNTC) is a leading provider of computer network and information security 
services in China.

Copyright 2001 http://www.netguard.com.cn, All rights reserved.
Previous By Date Next
Previous By Thread Next

Current thread: