XOR-Wimpy.txt

2006-02-20T00:00:00
ID PACKETSTORM:44014
Type packetstorm
Reporter xorcrew.net
Modified 2006-02-20T00:00:00

Description

                                        
                                            `------=_Part_3561_13171861.1140054915207  
Content-Type: text/plain; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
XOR Crew :: Security Advisory =20  
2/10/2006  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
Wimpy MP3 Player - Text file overwrite. (lame)  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
http://www.xorcrew.net/  
http://www.xorcrew.net/ReZEN/  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
:: Summary  
  
Vendor : Plaino Inc.  
Vendor Site : http://www.wimpyplayer.com/  
Product(s) : Wimpy MP3 PLayer  
Version(s) : All  
Severity : Low  
Impact : trackme.txt overwrite  
Release Date : 2/10/2006  
Credits : ReZEN (rezen (a) xorcrew (.) net)  
  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
I. Description  
  
Wimpy provides a simple, clean, enjoyable listening experience for  
your website's  
visitors. Lists and plays an entire directory full of mp3 files automatica=  
lly.  
  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
II. Synopsis  
  
The file wimpy_trackplays.php does not check the variables passed to  
it prior to  
writing the contents of those variables to trackme.txt. That allows  
us to write  
anything we want to trackme.txt. This is not really a problem for the  
server running  
wimpy. The problem lies in the fact that being able to write to  
trackme.txt allows  
the attacker a jump off point for other Remote Command Execution Bugs  
that read from  
text files. These bugs are quite common and thus wimpy aids the  
attacker in staying  
annonymous.  
  
Example:  
  
http://www.site.com/pathtowimpy/goodies/wimpy_trackplays.php?myAction=3Dtra=  
ckplays  
&trackFile=3D<?php&trackArtist=3Dsystem("uname -a;id;");&trackTitle=3D?>  
  
that writes:  
  
<?php  
system("uname -a;id;");  
?>  
  
to trackme.txt. Then all the attacker has to do is point is RCE  
exploit to trackme.txt  
and there you have it. So yeah lame vuln but interesting. Peace out.  
  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
IV. Greets :>  
  
All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful girlfriend.  
  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
------=_Part_3561_13171861.1140054915207  
Content-Type: text/html; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
<pre>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>XOR Crew :: Security Advisory=  
2/10/2006<br>=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D  
<br>Wimpy MP3 Player - Text file overwrite. (lame)<br>=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D<br><a href=3D"http://www.xorcrew.net/">http://www.xorcrew.n=  
et/</a><br><a href=3D"http://www.xorcrew.net/ReZEN/">  
http://www.xorcrew.net/ReZEN/</a><br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
<br><br>:: Summary<br><br> Vendor : Plaino Inc.<br> Vendor=  
Site : <a href=3D"http://www.wimpyplayer.com/">  
http://www.wimpyplayer.com/</a><br> Product(s) : Wimpy MP3 PLayer<b=  
r> Version(s) : All<br> Severity : Low<br> Impact =  
: trackme.txt overwrite<br> Release Date : 2/10/2006<br> Cr=  
edits : ReZEN (rezen (a) xorcrew (.) net)  
<br><br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br><br>I. Description<br><br>=  
Wimpy provides a simple, clean, enjoyable listening experience for your web=  
site's<br>visitors. Lists and plays an entire directory full of mp3 files =  
automatically.  
<br><br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br><br>II. Synopsis<br><br>Th=  
e file wimpy_trackplays.php does not check the variables passed to it prior=  
to <br>writing the contents of those variables to=20  
trackme.txt. That allows us to write <br>anything we want to trackme.txt. =  
This is not really a problem for the server running <br>wimpy. The proble=  
m lies in the fact that being able to write to trackme.txt allows<br>the at=  
tacker a jump off point for other Remote Command Execution Bugs that read f=  
rom  
<br>text files. These bugs are quite common and thus wimpy aids the attack=  
er in staying<br>annonymous. <br><br>Example:<br><br><a href=3D"http://www=  
.site.com/pathtowimpy/goodies/wimpy_trackplays.php?myAction=3Dtrackplays">h=  
ttp://www.site.com/pathtowimpy/goodies/wimpy_trackplays.php?myAction=3Dtrac=  
kplays  
</a><br>&trackFile=3D<?php&trackArtist=3Dsystem("uname -a;i=  
d;");&trackTitle=3D?><br><br>that writes:<br><br><?php<br>sy=  
stem("uname -a;id;");<br>?><br><br>to trackme.txt. Then all t=  
he attacker has to do is point is RCE exploit to=20  
trackme.txt<br>and there you have it. So yeah lame vuln but interesting. =  
Peace out.<br><br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br><br>IV. Greets :&=  
gt;<br><br>All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful g=  
irlfriend.  
<br><br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</pre>  
  
------=_Part_3561_13171861.1140054915207--  
`