Vulnerability Development mailing list archives

Re: Administrivia #5218

From: lamont () ICOPYRIGHT COM (Granquist, Lamont)
Date: Mon, 24 Jan 2000 11:59:26 -0800


If someone can access your analysis machine and run these scripts with
their own parameters, then you've got a huge problem above and beyond any
vulnerabilities in these scripts.

On Sat, 22 Jan 2000, kjkotas wrote:

Yes, a few of the CGI scripts of the Shadow distribution are weak and
easily exploitable. This is not much of a challenge, but true the exploits
have not been published. In one of the Perl CGI scripts, the author even
writes the following:

#
#  Unfortunately, we can't generalize rules for specifying valid tcpdump
#  filters, since a lot of special characters are acceptable. Fortunately,we
#  call the script directly, i.e. no shell and enclose the tcpdump filter
#  in quotes.
#

It pretty much says ';exploit me;'.

The weak scripts that I found all do not have sufficient checking of
command parameters similar to the above.

In particular, I have found the following scripts vulnerable:

pat_match_form.cgi (Version 1.5, 1.6)
mday-search.cgi (Version 1.6)
scan_search.cgi (Version 1.5)
nmap.cgi (Version 1.6)


kjk

On Fri, 21 Jan 2000, Blue Boar wrote:


I'm told there are unpublished exploits for this package:

http://www.nswc.navy.mil/ISSEC/CID/

Current thread:

Re: Secure coding in C (was Re: Administrivia #4883), (continued)
- - - Re: Secure coding in C (was Re: Administrivia #4883) Marco Walther (Jan 21)
    - Re: Secure coding in C (was Re: Administrivia #4883) CyberPsychotic (Jan 22)
    - Re: Secure coding in C (was Re: Administrivia #4883) Marc Esipovich (Jan 21)
    - Generalized List of Threats and Vulnerabilities Dave Drake (Jan 21)
    - Re: Generalized List of Threats and Vulnerabilities Seth R Arnold (Jan 21)
    - Re: Generalized List of Threats and Vulnerabilities Crispin Cowan (Jan 23)
    - Re: Generalized List of Threats and Vulnerabilities John Duksta (Jan 21)
    - Administrivia #5218 Blue Boar (Jan 21)
    - Re: Administrivia #5218 Imran Ghory (Jan 22)
    - Re: Administrivia #5218 kjkotas (Jan 22)
    - Re: Administrivia #5218 Granquist, Lamont (Jan 24)
    - Re: Administrivia #5218 Bob Fiero (Jan 22)
    - bruterh.sh & syslogd & [g]libc & proftpd & wu-ftpd & sendmail Michal Zalewski (Jan 23)
    - things to break.. Inedag () AOL COM (Jan 23)
    - CGI insecurities hypoclear - lUSt - (Linux Users Strike Today) (Jan 23)
    - HTTP scanners? Scorpus Kahn (Jan 15)
    - Re: HTTP scanners? Seth R Arnold (Jan 24)
    - Re: CGI insecurities David Taylor (Jan 23)
    - Re: CGI insecurities Blue Boar (Jan 23)
    - Re: things to break.. Matthew S. Hallacy (Jan 23)
    - Re: things to break.. Jeff Bachtel (Jan 23)

(Thread continues...)