fingerd-cgi.txt

2001-11-22T00:00:00
ID PACKETSTORM:25475
Type packetstorm
Reporter gobbles
Modified 2001-11-22T00:00:00

Description

                                        
                                            `++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++   
++++++++++++++GOBBLES+SECURITY+RESEARCH+TEAM+INCORPORATED+++++++++++++++++   
ALERT! ALERT! BERKELEY FINGER VULNERABILITY! ALERT! ALERT!   
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++   
  
This is NOT Robert Morris gets() bug!  
  
#include "/tmp/.admin_files/trash/about_us.h"  
  
GOBBLES LABS was pioneered in year 2001 to address security threat to  
public. We will become renowned for our bleeding edge technology and method  
of giving software full-fledged battery of attack to find weakness and make  
this weaknesses known to public sector (not disk sector hehehe) so problem  
may be fixed in reliable manner. We invent several fuzz testing tool for  
remote daemon and we thus are able to stress test application for security.  
GOBBLES LABS uses proprietary artificial intelligence tool to aid in  
enumeration of remote host banner and then able to identify flaw through new  
operating system TCP/IP stack fingerprint by measuring delayed  
acknowledgement behaviour, thus being able to ratify system information by  
referencing a table of TCP slow start and fast retransmit behaviour. GOBBLES  
be adding patches to nmap security tool to show this method of identifying  
system like Solaris, IRIX, SCSI, Linux, *BSD, etc. etc.  
  
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo  
  
"To be or not to exist, were the great green grass exhumed by the twilight  
hour mystique" -- Gobbles Poetry, 2000  
  
PRODUCT  
*******  
  
program: Berkeley finger.cgi  
website: http://www.csua.berkeley.edu/cgi-bin/finger?source  
  
BACKGROUND  
**********  
  
Inspired by recent ingenius Bugtraq post entitled "How to use Google to find  
confidential informations," GOBBLES team begin question prospects in finding  
exploitable conditions in scripts return by google search machine. First  
GOBBLES did search like "allinurl:cgi-bin/finger" and find source offered by  
berkeley.edu in public domain. Source promise security but this promise  
broken because airhead programmer did not use common sense but instead use  
shoes too much (everyone remember pine holes?!?! not shoes used that time  
but too much cereal heheheeee).   
  
Programmer claim security with Perl comment:  
  
#########################################################  
# check for some loozer trying to run a different process  
#########################################################  
  
This obnoxious attitude not buy security though. Programmer who not fully  
understand /bin/sh -c nuance should not get programming as hobby at all.  
  
Ok, so for this audit we going to use vi editor because it offer flexibility  
in locate precise vulnerability. So we have our tools and that's important  
because we have to have tool.  
  
"Important to relax and just let source code speak to soul." -- Anonymous  
  
TECHNICAL DETAILS  
*****************  
  
Here is the working spotlight portion of code:  
  
#########################################################  
# check for some loozer trying to run a different process  
#########################################################  
  
if ($dest =~ /;|>||\||&/) {  
print <<EOH;  
<H1>Forget it, bum!</H1>  
<P>Either you made a big typo, or you're trying something funny with  
the system.  
</BODY></HTML>  
EOH  
exit(0);  
}  
  
  
###############  
# do the finger  
###############  
  
if ($dest) {  
if ($xpid = open(FINGER,"$finger $dest |")) {  
print "<PRE>", <FINGER>, "</PRE>";  
close(FINGER);  
}  
else {  
print <<EOH;  
<P>There was an error during the finger process.</P>  
EOH  
}  
}  
  
Ok, so we immediately see questionable open() call and notice $dest scalar  
come from user input. But programmer try best to strip out metacharacter. HE  
WRONG. HE DID NOT THINK ABOUT NEWLINE!!!! WHAT MATTER WITH DENSE PEOPLE  
THESE DAYS???? Nobody learn from phf hole???? GOBBLES find this poor  
education in public very disturbing and hope that "necessary evil" stated by  
aleph1 will help berkeley.edu fix their security.  
  
DEMONSTRATION  
*************  
  
In order to prevent malicious attacker from using this hole, GOBBLES has  
taken obscurity measures to protect an innocent host from being cracked.  
Thus, the vulnerable host has been replaced with domain host.com below.  
  
http://www.host.com/cgi-bin/finger?dest=x%0aid  
  
EXPLOIT  
*******  
  
This bug can be exploited with Unicode / CGI Decode exploit from Microsoft  
called Internet Explorer.  
  
VENDOR NOTIFICATION  
*******************  
  
Domain Name: BERKELEY.EDU  
  
Administrative Contact, Technical Contact, Billing Contact:  
University of California, Berkeley (UCB-NOC) noc@NAK.BERKELEY.EDU  
Communication and Network Services  
283 Evans Hall #3806  
Berkeley, CA 94720-3806  
USA  
1-510-643-3267  
  
root@berkeley.edu and noc@nak.berkeley.edu contacted with vulnerability  
information and fix suggestion.  
  
GREETS  
******  
  
dianora -- where would we be without you? You instilled in GOBBLES security  
importance of clearly documenting "return 0;" behavior in big, robust code  
like hybrid-6. GOBBLES knows numeric misuse issues in hybrid-6 but will keep  
them quiet for now until we able to develop patch and stop irc warrior  
abusing issue with exploit created by GOBBLES hacking team who help security  
industry to stop other hackers getting in. That important trend today:  
hackers working with security industry to stop hackers getting in is logical  
progression from stage magician telling the audience how the trick is done.  
It is sensible and people should not be criticized for this.  
  
tsk, snow, carolyn meinel, john vranesevich, steve gibson, kimble, emmanuel  
goldstein, box.sk, @stake, securityfocus, blackhat.com, defcon.org,  
2600.com, #phrack@efnet, #hackphreak@undernet, bugtraq (thanks aleph1 and  
david ahmad for devoting your time to a great list), ntbugtraq (russel the  
love muscle ;D), cert.org, paul vixie, vesselin bontchev, reese witherspoon,  
kirstin dunst, katie holmes, aleister crowley, manly p hall, franz bardon,  
dennis ritchie, nietzsche, w. richard stevens, and all our friends and  
family.   
  
  
GOBBLES SECURITY  
http://www.bugtraq.org/  
  
  
  
  
  
  
  
  
  
`