[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Command Injection Vulnerability in stat.qwest.net

To: Full-Disclosure <full-disclosure@lists.netsys.com>
Subject: [Full-Disclosure] Command Injection Vulnerability in stat.qwest.net
From: Dan Daggett <csiwebmaster@csi.edu>
Date: Thu, 21 Aug 2003 17:09:29 -0600

[Vulnerable Site]

http://stat.qwest.net


[Site Purpose]  

Site can be used by network administrators and engineers to test network
connectivity, view Qwest's backbones, and test latency across Qwest's
network.


[Vulnerable Page]

http://stat.qwest.net/cgi-bin/jlg-new.pl

This page can be accessed through
http://stat.qwest.net/looking_glass.html


[Page Purpose]

Run ping and traceroute from various routers/computers in many locations
across Qwest's network, including North America and Asia.


[Command Injection]

While running a ping on a site that wasn't up, the error message made me
realize that the perl script was shelling out a command to a remote
system and tacking my input into it.  

For example in the dropdown box pick any router and select ping or
traceroute.  In this case I selected ping.  Type in a nonexistent site
such as nositehere.nope.  Here is what was returned in the page.

/usr/sbin/ping: unknown host nositehere.nope

My next thought was whether or not proper checking had been done to
avoid escaping the command and running my own code.  This time I used a
semicolon to add my own commands on to the end: nositehere.nope;id;uname
-a;  I put the ending semicolon on in case there was additional
parameters added to the ping command.  Here is the result.

Pinging nositehere.nope;id; from atl-engr-01.inet.qwest.net

uid=60001(nobody) gid=60001(nobody)


[Problem Fix]

The vulnerability here lies in the fact that unfiltered user input is
passed by the Perl script directly to the command line.  Something as
simple as verifying that only certain characters will be passed to the
command prompt would prevent this.

For example this would drop any characters that were not alphanumberic,
dash, underscore, and a period.

$user_input  =~ s/[^A-Za-z0-9_-.]//g;


[Vendor Contact]

Sent email to security@qwest.net on August 19th.

Problem fixed August 21, 2003


[Contact Info]

Report can be viewed online
http://www.socialgeeks.com/advisories/qwest_aug_21_2003.php

Submitted to list on August 21, 2003 by Dan Daggett

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Command Injection Vulnerability in stat.qwest.net - OFFTOPIC
  - From: "Kurt Seifried" <listuser@seifried.org>

Prev by Date: Re: [Full-Disclosure] Google Private IP is 10.7.0.73 !!!!!!
Next by Date: [Full-Disclosure] RE: Popular Net anonymity service back-doored
Prev by thread: Re: [Full-Disclosure] Win32 Device Drivers Communication Vulnerabilities + PoC for Symantec Norton AntiVirus '2002 (probably all versions) Device Driver
Next by thread: Re: [Full-Disclosure] Command Injection Vulnerability in stat.qwest.net - OFFTOPIC
Index(es):
- Date
- Thread