Full Disclosure mailing list archives
Re: [0day] ExploitLabs.com CGI Script Irony (was: Vote Today)
From: "morning_wood" <se_cur_ity () hotmail com>
Date: Thu, 12 Jun 2003 17:51:17 -0700
If I go to the mailbox and get my private letter from you and I open it and read it, drop it on the ground and walk away, that is not against the law. Furthermore you copied and sent it to someone else, not privliged information. This is all bull Im tired of defendding my actions , only to have others defend me and now I am the issue. I have only defended myself in a open hostile market through no ill intent on my behaf. I have never sent threatning mail to any one, I did not accuse you. I believe you sent 2 emails Matt, on solely addressed to, and the other cc'ed. Yours to me remains in confidence. Do not fall into the group as I have. I am, and have only defended fallacies of me or my work. wood ----- Original Message ----- From: <mattmurphy () kc rr com> To: <full-disclosure () lists netsys com> Cc: <0day () nothackers org> Sent: Thursday, June 12, 2003 5:42 PM Subject: [0day] ExploitLabs.com CGI Script Irony (was: Vote Today) -=day - Freedom of Voice - Freedom of Choice = morning wood <se_cur_ity () hotmail com> wrote:
some famous white hat's letter to Full Disclosure.. -------------------- snippy ------------------------------------- Len: It is my belief that list members who repeatedly post ridicule
that
could not possibly be of any use for on-topic readers -- particularly
those
who post such things without any other contributions -- should at
least
have their right to post permanently stripped, if they are allowed to remain subscribers at all. It is also my belief that Donnie Werner's recent posts fit squarely into this catergory. Not only has Donnie
Werner
continued to waste the effort of list maintainers and subscribers
with
non-contributory e-mail, but he has also been extremely
un-professional in
the few cases where he has provided anything worth anyone's time.
For this
reason, sorting through Donnie Werner's junk mail is not worth my
time, or
the time wasted of anyone else on this list. It is with the highest
regard
for Full-Disclosure as a place of promise in the continuing evolution
of
information security, that I must urge the removal of Donnie Werner,
as it
is in the best interest of all on the list, and the future of the
list
itself. ---------------- end snippy --------------------------------------- Ladies and Gentleman... I am being systematicly blackballed, If I coment on one white hat, I get threats from two more..
My question is this: how does my letter to Len (which I also CC'ed to Donnie) constitute blackmail/threats? By CC'ing Donnie, I specifically gave him an opportunity to respond, and specifically attempted to be professional about this by responding off-list to his posts. Not only did he not respect that, he re-posted my private e-mail to you without my permission. Donnie has not only broken ethical standards here, you have broken laws. I did not write that message (or the portion of the message which you have displayed) to the list, only to Len Rose and Donnie's private account. Since he did not have the professionalism or maturity to contact me off-list with these issues, and then violated moral, ethical and legal standards by copying my attempts to the list, Donnie has crossed a line that should not be crossed. Not only was my message private, it also makes no attempt to blackmail Donnie as he so irresponsibly claims. For the benefit of the lists, my message to Donnie is attached as "msg-001.txt". I had contemplated releasing the messages Donnie wrote in response to the list, but have decided not to do so, so that I do not become a repeat of the very issue my complaint is about. If Donnie would choose to provide it (or allow me to do so), his responses to me off-list indicate a tone that is very contradictory to what he posts here. I made no threats against Donnie or the list, and I made what I considered my best assessment of the situation -- that the incredibly high level of noise on the otherwise unmoderated list, combined with lax administration would eventually cause the list to collapse. I made no threat to withhold information, or of my own plans to leave (I currently have none), so how could this possibly be considered a threat/blackmail attempt? P.S. - This message CC'ed to 0day () nothackers org -- Donnie Werner's "list of 0day's", which has also received an unauthorized copy of my e-mail. Worse, Donnie is a classic example of the flaws he claims to prevent. See the advisory below: ----- Filtering Flaws in ExploitLabs.com CGI Script Risk: High Impact: Critical: Execute commands of attacker's choice Exploit Difficulty: Minimal Systems Affected: ExploitLabs.Com Infinity Project (all versions) A security vulnerability has been identified in the "nph-exploitscanget.cgi" frontend of Donnie Werner's Infinity Scripts. By using a specially malformed URL query, it is possible to execute arbitrary commands as the user running the script. Solutions like suexec, file system limitation, and chroot may prevent successful compromise, but this vulnerability is severe in most instances. Donnie's script insecurely sanitizes the "host" URI parameter. Specifically, the script fails to block the UNIX backtick character: http://somesite.com/cgi-bin/nph-exploitscanget.cgi?host=`cat%20/etc/pa sswd`` cat%20/etc/shadow`&port=80&errchk=0&idsbypass=0 will reveal the username/password data dumped in an error message indicating a failed host ping. This requires httpd to be running as root, a dangerous practice. However, the ability to execute arbitrary commands allows for severe compromise in other areas. Also, the script does URL decoding after the command filter, appearantly: $host =~ tr/+/ /; $host =~ tr/\%/a/; $host =~ tr/\;/b/; $host =~ tr/</c/; $host =~ tr/>/d/; $host =~ tr/\|/e/; $host =~ tr/\&/f/; $host =~ tr/\^/g/; $host =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; So simple constructs such as: http://localhost/cgi-bin/nphexploitscanget.cgi?host=127.0.0.1%20%7ccat %20/et c/passwd%3b May also work. Note that "%7C" is a URL-encoded pipe character ("|"). Solution: Replace the previous script: $host =~ tr/+/ /; $host =~ tr/\%/a/; $host =~ tr/\;/b/; $host =~ tr/</c/; $host =~ tr/>/d/; $host =~ tr/\|/e/; $host =~ tr/\&/f/; $host =~ tr/\^/g/; $host =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; with: $host =~ tr/+/ /; + $host =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; + $host =~ tr/\`/h/; $host =~ tr/\%/a/; $host =~ tr/\;/b/; $host =~ tr/</c/; $host =~ tr/>/d/; $host =~ tr/\|/e/; $host =~ tr/\&/f/; $host =~ tr/\^/g/; - $host =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; Donnie Werner, you are a fraud -- you cannot even secure a basic Perl script. You don't use 'nslookup' to lookup a hostname, you use the simple function call known as gethostbyname() that is part of the Perl core. ----- -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . _______________________________________________ 0day mailing list 0day () nothackers org http://nothackers.org/mailman/listinfo/0day _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- ExploitLabs.com CGI Script Irony (was: Vote Today) mattmurphy () kc rr com (Jun 12)
- Re: [0day] ExploitLabs.com CGI Script Irony (was: Vote Today) morning_wood (Jun 12)
- Re: [0day] ExploitLabs.com CGI Script Irony (was: Vote Today) morning_wood (Jun 12)
- <Possible follow-ups>
- RE: ExploitLabs.com CGI Script Irony (was: Vote Today) Steve Manzuik (Jun 12)