Vulnerability in Upload Lite 3.22 that could allow somebody to upload/execute code on a remote host.

2003-03-09T00:00:00
ID SECURITYVULNS:DOC:4174
Type securityvulns
Reporter Securityvulns
Modified 2003-03-09T00:00:00

Description

There is a vulnerability in Upload Lite 3.22 that could allow somebody to upload/execute code on a remote host.

The exploit was tested on Windows and as far as I know it will only work on windows.. It will not work on *nix because of file permissions.

Upload Lite 3.22 from PerlScriptsJavaScripts.com "The ultimate free uploader with admin specified restrictions on file types and sizes"

How to exploit:

Using a form with 2 fields such as:


<form action="http://www.example.com/cgi-bin/upload.cgi" method="post" enctype="multipart/form-data"> File 1, Same filename as file2<br> <input type="File" name="FILE1"><br> File 2, The code you plan to execute, with same filename as file1<br><input type="File" name="FILE2"><br> <input type="Submit" value="Submit"></p> </form>


By uploading 2 of the same file (with the same filename - this is important, any size, even above the maximum limit) the first temporary file that gets created when the files are being uploaded gets deleted, the second temporary file does not get deleted, this is the file that may contain malicious code.

The temporary file is saved as CGItemp<random number>

To find the file you've uploaded you could write a program to count up and append the number to the filename "CGItemp". There may be other incomplete files, but you will eventually find the file you're looking for..

After the temporary file has been found the attacker could then access the file that he/she has uploaded and the host could then be taken over by using a backdoor cgi script, etc... (use your imagination).

You must also spoof the referring URL in the http header so that the script thinks you're uploading from the site you're supposed to be uploading from.

Any host running this script is a potential target. I would recommend not using this script until a patch or new version is released.

Example of script to be run on host:


!C:\Perl\Bin\Perl.exe

print ("Content-Type: text/html\n\nUh Oh! It works!\n");


Of course somebody could use malicious code very easily... but i'm not going to give out code which could be used in a bad way. :-)

If you have any questions or comments please feel free to contact me.


Saturday, March 8, 2003

-Sil http://www.silenttech.com e-mail: sil@linuxquestions.net