Full Disclosure mailing list archives
Re: AirOS remote root 0day
From: sd <sd () fucksheep org>
Date: Sun, 25 Dec 2011 02:45:39 +0100
The bug is lighttpd's. It's whitelist is applied to actual url (thus allowing .cgi, .css, .gif etc, according to its whitelist). However that pesky PATHINFO feature strips all trailing path components in hopes of finding a valid path (/admin.cgi/blah.(css|gif|js...)) becomes just /admin.cgi). Actual trailing paths granting arbitrary CGI access: airos.allow = ( ".ico", ".gif", ".png", ".jpg", ".js", ".css", "jsl10n.cgi", "poll.cgi", "airview.jar.pack.gz", "airview_manager.jnlp", "airview.jnlp", "airview.uavr", "/login.cgi", "/ticket.cgi" ) Note that this is a common bug (elaborate security company tract pending :) and exploit evading cgi access restrictions based on url rules. Fixing it, surprisinly, is not easy - all filters provided by airos.allow/deny are strncmp() applied to the end of original (pre-pathinfo) uri and pretty much useless. Just upgrade to fw 5.3.5 released few days ago by ubiquity. Additional L7 rules anywhere upstream are embarassingly ineffective (just use http url escaping to evade) and merely stops skynet from spreading Also, the shell worm spreading using this renames /admin.cgi to /adm.cgi - for you guys having trouble actually exploing infected systems :) 2011/12/23 Christopher Granger <chrisgrangerx () gmail com>:
Does anyone have additional information about this vulnerability? It looks like it can be exploited by requesting: http://[X.X.X.X]/admin.cgi/[any or no filename string].css Although http://gregsowell.com/?p=3428 states: "The exploit appears to be a flaw in the admin.cgi file(CORRECTION…IT IS ALL PAGES SO WE WILL BLOCK ALL CGI)." However, this last runs counter to what I've seen so far ... Thanks, -Chris _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- AirOS remote root 0day sd (Dec 22)
- <Possible follow-ups>
- AirOS remote root 0day Christopher Granger (Dec 24)
- Re: AirOS remote root 0day sd (Dec 24)