Why are you telling us this? How does it affect anyone, but qwest, who you notified, and who fixed it. Do we now send out a security advisory every time we notify sometime to disable a vulnerable service (sir, you have telnet enabled). This is getting ridiculous.
Kurt Seifried, [EMAIL PROTECTED] A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ ----- Original Message ----- From: "Dan Daggett" <[EMAIL PROTECTED]> To: "Full-Disclosure" <[EMAIL PROTECTED]> Sent: Thursday, August 21, 2003 5:09 PM Subject: [Full-Disclosure] Command Injection Vulnerability in stat.qwest.net > [Vulnerable Site] > > http://stat.qwest.net > > > [Site Purpose] > > Site can be used by network administrators and engineers to test network > connectivity, view Qwest's backbones, and test latency across Qwest's > network. > > > [Vulnerable Page] > > http://stat.qwest.net/cgi-bin/jlg-new.pl > > This page can be accessed through > http://stat.qwest.net/looking_glass.html > > > [Page Purpose] > > Run ping and traceroute from various routers/computers in many locations > across Qwest's network, including North America and Asia. > > > [Command Injection] > > While running a ping on a site that wasn't up, the error message made me > realize that the perl script was shelling out a command to a remote > system and tacking my input into it. > > For example in the dropdown box pick any router and select ping or > traceroute. In this case I selected ping. Type in a nonexistent site > such as nositehere.nope. Here is what was returned in the page. > > /usr/sbin/ping: unknown host nositehere.nope > > My next thought was whether or not proper checking had been done to > avoid escaping the command and running my own code. This time I used a > semicolon to add my own commands on to the end: nositehere.nope;id;uname > -a; I put the ending semicolon on in case there was additional > parameters added to the ping command. Here is the result. > > Pinging nositehere.nope;id; from atl-engr-01.inet.qwest.net > > uid=60001(nobody) gid=60001(nobody) > > > [Problem Fix] > > The vulnerability here lies in the fact that unfiltered user input is > passed by the Perl script directly to the command line. Something as > simple as verifying that only certain characters will be passed to the > command prompt would prevent this. > > For example this would drop any characters that were not alphanumberic, > dash, underscore, and a period. > > $user_input =~ s/[^A-Za-z0-9_-.]//g; > > > [Vendor Contact] > > Sent email to [EMAIL PROTECTED] on August 19th. > > Problem fixed August 21, 2003 > > > [Contact Info] > > Report can be viewed online > http://www.socialgeeks.com/advisories/qwest_aug_21_2003.php > > Submitted to list on August 21, 2003 by Dan Daggett > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
