Full Disclosure mailing list archives
Command Injection Vulnerability in stat.qwest.net
From: Dan Daggett <csiwebmaster () csi edu>
Date: Thu, 21 Aug 2003 17:09:29 -0600
[Vulnerable Site] http://stat.qwest.net [Site Purpose] Site can be used by network administrators and engineers to test network connectivity, view Qwest's backbones, and test latency across Qwest's network. [Vulnerable Page] http://stat.qwest.net/cgi-bin/jlg-new.pl This page can be accessed through http://stat.qwest.net/looking_glass.html [Page Purpose] Run ping and traceroute from various routers/computers in many locations across Qwest's network, including North America and Asia. [Command Injection] While running a ping on a site that wasn't up, the error message made me realize that the perl script was shelling out a command to a remote system and tacking my input into it. For example in the dropdown box pick any router and select ping or traceroute. In this case I selected ping. Type in a nonexistent site such as nositehere.nope. Here is what was returned in the page. /usr/sbin/ping: unknown host nositehere.nope My next thought was whether or not proper checking had been done to avoid escaping the command and running my own code. This time I used a semicolon to add my own commands on to the end: nositehere.nope;id;uname -a; I put the ending semicolon on in case there was additional parameters added to the ping command. Here is the result. Pinging nositehere.nope;id; from atl-engr-01.inet.qwest.net uid=60001(nobody) gid=60001(nobody) [Problem Fix] The vulnerability here lies in the fact that unfiltered user input is passed by the Perl script directly to the command line. Something as simple as verifying that only certain characters will be passed to the command prompt would prevent this. For example this would drop any characters that were not alphanumberic, dash, underscore, and a period. $user_input =~ s/[^A-Za-z0-9_-.]//g; [Vendor Contact] Sent email to security () qwest net on August 19th. Problem fixed August 21, 2003 [Contact Info] Report can be viewed online http://www.socialgeeks.com/advisories/qwest_aug_21_2003.php Submitted to list on August 21, 2003 by Dan Daggett _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Command Injection Vulnerability in stat.qwest.net Dan Daggett (Aug 21)
- Re: Command Injection Vulnerability in stat.qwest.net - OFFTOPIC Kurt Seifried (Aug 22)
- Re: Command Injection Vulnerability in stat.qwest.net - OFFTOPIC Blue Boar (Aug 22)
- Re: Command Injection Vulnerability in stat.qwest.net - OFFTOPIC Kurt Seifried (Aug 22)