Vulners
Lucene search
verlihub-exec.txt
`== verlihub <=0.9.8d-RC2 remote r00t / command execution =======================
| ' / |
/__ ___ ( /
\\--`-'-|`---\\ |
|' _/ ` __/ /
'._ V ,--'
'_:_._/
description:--------------------------------------------------------------------
"Verlihub is a Direct Connect protocol server; runs on Linux OS; written in
C++."
-- <http://www.verlihub-project.org/>
Verlihub does not sanitize user input passed to the shell via its "trigger"
mechanism. Furthermore, the Verlihub daemon can optionally be configured to
run as root. This allows for the arbitrary execution of commands by users
connected to the hub and, in the case of the daemon running as root,
complete commandeering of the machine.
-- Code Listing: src/ctrigger.cpp : cTrigger::DoIt() -------------------
106 string command(buf); :
107 filename = server.mConfigBaseDir; ,:
108 filename.append("/tmp/trigger.tmp"); | / \ |
109 command.append(" > "); \_\\ //_/
110 command.append(filename); .'/()\'.
111 cout << command << endl; \\ //
112 system(command.c_str());
------------------------------------------------------------------------
vulnerability check:------------------------------------------------------------
# grep allow_exec /etc/verlihub/dbconfig
allow_exec = 1
or
# grep allow_exec $HOME/.verlihub/dbconfig
allow_exec = 1
exploit:------------------------------------------------------------------------
1. Connect to a hub with user triggers allowed and set up to accept
arguments;
2. Run a trigger with a specially crafted argument, e.g.:
+<trigger> `cat /etc/passwd`
where <trigger> is the name of the trigger.
3. ...
patch:--------------------------------------------------------------------------
$ diff src/ctrigger.cpp src/ctrigger.cpp.new
9a10
> #include <stdio.h>
19a21,33
> void strip( char * str, char c )
> {
> char * p1 = str;
> while ( *p1++ )
> if( *p1 == c )
> {
> char * p2 = p1;
> while( *p2 && *p2 == c ) { ++p2; }
> if(*p2) { *p1 = *p2; *p2 = c; }
> else { *p1 = '\0'; break; }
> }
> }
>
107,114c121,145
< filename = server.mConfigBaseDir;
< filename.append("/tmp/trigger.tmp");
< command.append(" > ");
< command.append(filename);
< cout << command << endl;
< system(command.c_str());
< buf = "";
< if (!LoadFileInString(filename,buf)) return 0;
---
> char buffer[ 1024 ];
> FILE * stream;
> buf = "";
> char * cmd = command.c_str();
>
> strip( cmd, ';' ); strip( cmd, '\"' );
> strip( cmd, '\'' ); strip( cmd, '\\' );
> strip( cmd, '`' ); strip( cmd, ':' );
> strip( cmd, '!' ); strip( cmd, '$' );
> strip( cmd, '{' ); strip( cmd, '}' );
> strip( cmd, '[' ); strip( cmd, ']' );
> strip( cmd, '&' ); strip( cmd, '>' );
> strip( cmd, '<' ); strip( cmd, '|' );
> strip( cmd, '~' ); strip( cmd, '/' );
>
> cout << cmd << endl;
> stream = popen( cmd, "r" );
> if ( stream == NULL )
> perror( NULL );
> else
> while( fgets( buffer, 1024, stream )
> != NULL )
> buf.append( buffer );
> if ( pclose( stream ) == -1 )
> perror( NULL );
== eof ======================================== by v4lkyrius at gmail dot com ==
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Nov 2008 00:00Current
7.4High risk
Vulners AI Score7.4