A vulnerability exists in the AIX Operating System distributed by IBM which could allow a user an elevation in priviledge. The problem occurs in the digest binary. It is reported that it is possible to overflow a buffer in the program and overwrite a pointer to the stack, which in turn can result in an overflow in a library referenced by the binary. The secondary overflow in the library makes it possible to overwrite other stack variables, including the return address. A malicious user could use this vulnerability to gain an elevation in priviledges, and potentially UID 0.
A buffer overflow exists in the setsenv binary of AIX which could allow a user to overwrite variables on the stack, including the return address. This makes it possible for a malicious user to execute arbitrary code, and potentially attain a UID of 0.
PostACI Webmail stores database username and password information in a file called global.inc. This file is world-readable and stored in a directory accessible by a web browser over the internet. As a result, an attacker can retrieve the global.inc file with a web browser on a typical system (default configuration). Once obtained, the attacker may be able to access the systems database.
WebGlimpse and GlimpseHTTP are web indexing and search engine programs with some associated management scripts. GlimpseHTTP up to and including 2.0, and WebGlimpse prior to version 1.5, suffer from a common vulnerability involving the component "aglimpse". This script fails to filter the pipe metacharacter, allowing arbitrary command execution. The demonstration exploit for this vulnerability includes the unix shell "IFS" (Internal Field Separator) variable for situations where the web server filters space characters - by setting this to an acceptable character ("5" in the example exploit) it is possible to use commands with more than one field.
Novell NetWare Web Server 2.x versions came with a CGI written in BASIC called convert.bas. This script allows retrieval of files outside of the normal web server context. This can be accomplished simply by submitting the filename and path as a parameter to the script, using relative paths (../../) to traverse directories. Access may or may not be limited to the SYS: volume.
The freeware guestbook package from freeware.webcom.se provides a web-based guestbook feature, using CGI. Some versions of this guestbook (undetermined at the time of writing) are vulnerable to an attack allowing an intruder to retrieve the contents of arbitrary files to which the web server has access. This can be accomplished by specifying the path and filename as the parameter 'template' to either rguest.exe or wguest.exe - see Exploit for example. These two programs typically reside in /cgi-bin.
Some web servers that allow batch files to be executed via CGI are vulnerable to an attack whereby an intruder can execute commands on the target machine. This can be accomplished by submitting the command to be executed as a variable preceded by the ampersand (&) symbol, eg. http://targethost/cgi-bin/batfile.bat?&hostile_command. This apparently causes the server to call the function: system("batfile.bat &hostile_command") which the command interpreter interprets as separate commands. Microsoft IIS 1.0, Netscape Commerce Server 1.0/Communications Server 1.12, and O'Reilly Software WebSite Professional 1.1 are vulnerable to this attack whether or not the .BAT file requested even exists.
Classifieds.cgi is a perl script (part of the classifieds package by Greg Matthews) which provides simple classified ads to web sites. Due to improper input validation it can be used to read files on the host machine, with the privileges of the web server. This can be accomplished by embedding the input redirection metacharacter along with a filename into the form field used for e-mail address entry (<input name=return>). Any file that the web server process has read access to can be retrieved.
IBM Net.Data is a scripting language used to create web applications, it supports a wide range of language environments and is compatible with most recognized databases. Net.Data contains a vulnerability which reveals server information. Requesting a specially crafted URL, by way of the CGI application, comprised of an invalid request and known database, will reveal the physical path of server files.
Classifieds.cgi is a perl script (part of the classifieds package by Greg Matthews) which provides simple classified ads to web sites. Due to improper input validation it can be used to execute any command on the host machine, with the privileges of the web server. If the attacker can submit a command to run as a hidden variable that command will be executed. Normally this variable is reserved for the mail program and is accessed from an HTML page with the following piece of code: <input type="hidden" name="mailprog" value="/usr/sbin/sendmail"> <form method=post action="/cgi-bin/classifieds.cgi"> <input type="hidden" name="ClassifiedsDir" value="/home/httpd/html/class/ads/"> <input type="hidden" name="ViewDir" value="http://victim.com/class/ads/"> <input type="hidden" name="ErrorReturn" value="http://victim.com/class/index.html"> <input type="hidden" name="ReturnURL" value="http://victim.com/class/hi.html"> <input type="hidden" name="return" value="duke@viper.net.au"> <input type="hidden" name="mailprog" value="touch /tmp/bighole"> <b>Which department do you want your ad to be placed in or you would like to view? </form>
Services By CQR