[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Command Injection Vulnerability in stat.qwest.net - OFFTOPIC
- To: "Dan Daggett" <csiwebmaster@csi.edu>, "Full-Disclosure" <full-disclosure@lists.netsys.com>
- Subject: Re: [Full-Disclosure] Command Injection Vulnerability in stat.qwest.net - OFFTOPIC
- From: "Kurt Seifried" <listuser@seifried.org>
- Date: Fri, 22 Aug 2003 00:22:47 -0600
Why are you telling us this? How does it affect anyone, but qwest, who you
notified, and who fixed it. Do we now send out a security advisory every
time we notify sometime to disable a vulnerable service (sir, you have
telnet enabled). This is getting ridiculous.
Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
----- Original Message -----
From: "Dan Daggett" <csiwebmaster@csi.edu>
To: "Full-Disclosure" <full-disclosure@lists.netsys.com>
Sent: Thursday, August 21, 2003 5:09 PM
Subject: [Full-Disclosure] Command Injection Vulnerability in stat.qwest.net
> [Vulnerable Site]
>
> http://stat.qwest.net
>
>
> [Site Purpose]
>
> Site can be used by network administrators and engineers to test network
> connectivity, view Qwest's backbones, and test latency across Qwest's
> network.
>
>
> [Vulnerable Page]
>
> http://stat.qwest.net/cgi-bin/jlg-new.pl
>
> This page can be accessed through
> http://stat.qwest.net/looking_glass.html
>
>
> [Page Purpose]
>
> Run ping and traceroute from various routers/computers in many locations
> across Qwest's network, including North America and Asia.
>
>
> [Command Injection]
>
> While running a ping on a site that wasn't up, the error message made me
> realize that the perl script was shelling out a command to a remote
> system and tacking my input into it.
>
> For example in the dropdown box pick any router and select ping or
> traceroute. In this case I selected ping. Type in a nonexistent site
> such as nositehere.nope. Here is what was returned in the page.
>
> /usr/sbin/ping: unknown host nositehere.nope
>
> My next thought was whether or not proper checking had been done to
> avoid escaping the command and running my own code. This time I used a
> semicolon to add my own commands on to the end: nositehere.nope;id;uname
> -a; I put the ending semicolon on in case there was additional
> parameters added to the ping command. Here is the result.
>
> Pinging nositehere.nope;id; from atl-engr-01.inet.qwest.net
>
> uid=60001(nobody) gid=60001(nobody)
>
>
> [Problem Fix]
>
> The vulnerability here lies in the fact that unfiltered user input is
> passed by the Perl script directly to the command line. Something as
> simple as verifying that only certain characters will be passed to the
> command prompt would prevent this.
>
> For example this would drop any characters that were not alphanumberic,
> dash, underscore, and a period.
>
> $user_input =~ s/[^A-Za-z0-9_-.]//g;
>
>
> [Vendor Contact]
>
> Sent email to security@qwest.net on August 19th.
>
> Problem fixed August 21, 2003
>
>
> [Contact Info]
>
> Report can be viewed online
> http://www.socialgeeks.com/advisories/qwest_aug_21_2003.php
>
> Submitted to list on August 21, 2003 by Dan Daggett
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html