Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 72% of web base ping scripts allows attackers to pass malicious parameters

From: okrehel () loews com
Date: Mon, 3 Jun 2002 09:12:57 -0400

I also want to know, if the firewall has ICMP open in/out (it means that
you can ping an internal host
by conduit in firewall - NAT) if there is a way bypass by something to web
server, could
be Unicode bug, Transversal bug etc... I have seen firewalls on internet
and they allow ping inside
the network.
Thank you.

Ondrej




                                                                                                                        
               
                      "John Thornton"                                                                                   
               
                      <news@hackersdige        To:       <vuln-dev () securityfocus com>                                
                  
                      st.com>                  cc:                                                                      
               
                                               Subject:  72% of web base ping scripts allows attackers to pass 
malicious parameters    
                      06/01/2002 12:37                                                                                  
               
                      AM                                                                                                
               
                                                                                                                        
               
                                                                                                                        
               




I started to look into web sites that allows anyone to ping a host via web.
I wanted to see if any of these scripts would allow me to execute a '|' so
I
could run commands of my choice on their server. Almost all of them pass
this test however I was shocked to see how many allowed me to pass
parameters to the ping program itself.

Doing a search on google for 'ping.asp' ( For some reason url:ping.asp
yields no results ) I started to go down the list and would test each
script
by putting '127.0.0.1 -l' for a host. If the script returned 'Value must be
supplied for option -l.' I know that anyone could use this server for a
DDOS
attack. For example 'victim.com -l 65500 -t' would send very large icmp
packets to the victim until the Network Administrator notice that his
server
was ping flooding someone.

Of all the scripts tested a very frightening 72% allow me to pass
parameters
that would allow anyone to use it for a DDOS. Most of the servers that host
these scripts are isp's and universities that are sitting on large pipes to
the internet. The real threat is that there is no vender to alert. Most of
these scripts are custom developed. I have informed the administrators of
the vulnerable scripts that I have found but there are thousands out there.

-John Thornton
Editor in Chief
Hacker's Digest Magazine
http://www.hackersdigest.com
Previous By Date Next
Previous By Thread Next

Current thread: