Robpoll.cgi is a free cgi based admin program for Unix and NT which has remote vulnerabilities allowing remote users to execute any command on the remote system with the priveleges of the web server. In addition, anyone can read any file on the remote system with the webserver UID.
bc0607609836ddf0e5923a2902e5194cc19852cc1fd731afa6d4b7bc8745952a
Software: Robpoll.cgi
URL: http://
Platforms: Unix, NT
Type: CGI, Change password by default
robpoll.cgi Remote Possible Problem discovered by
Nick: alt3kx
Mail: alt3kx_h3z@raza-mexicana.org
Webs:
w w w . h e r t m x . o r g
w w w . s 0 d . o r g
w w w . r a z a - m e x i c a n a . o r g
Summary:
Anyone can execute any command on the remote system with
the priveleges of the web server. Anyone can read any file
on the remote system which the account in wich the webserver
runs as.
Vulnerability:
Robpoll is a free cgi based admin program.
I played with the CGI and discovered that the function admin
is set by a default password called "robpoll":
1: Add New Question
2: Remove Question
3: Change Password <--here is the bug
There is an admin function for adding and removing questions, which
is run through the robpoll.cgi, as shown in poll.html.
The admin section of the script is password protected. The default
password is "robpoll". You can change it through one of the admin
functions.
These are the files you should have:
1. robpoll.cgi . . . . . . the main Perl script
2. pollssi.cgi . . . . . . the Perl script for SSI
3. poll.html . . . . . . . sample html file
4. data.txt . . . . . . . . main data file
5. q1.txt . . . . . . . . . question data
6. ip1.txt . . . . . . . . ip data
7. num.txt . . . . . . . . data
8. white.jpg . . . . . . . image for graphing
9. robpoll.jpg . . . . . . link image
10. readme.txt . . . . . . . this file
Exploit:
(1) robpoll.cgi -
http://www.example.com/cgi-bin/robpoll.cgi?Admin
(2) You will receive an message html like:
1: Add New Question
2: Remove Question
3: Change Password
(3) The password by default is "robpoll", leaving this password thus
compromises the system and its files.
------------------------CUT------------------------
## - Author alt3kx -
## (www.raza-mexicana.org)
##
##
#!/bin/bash
echo -e "GET http://www.example.com/cgi-bin/robpoll.cgi?Admin
HTTP/1.0\n\n" | nc xxx.server.com 80
------------------------CUT------------------------
Greetz to: Packet Storm and Ken, ADM crew, dr_fdisk^(k00l friend),
Raregazz, X-ploit, _0x90_ (next work!).
Radikall (thanks for the work).