Berkeley finger.cgi has a remote command execution vulnerability because it does not strip out newlines.
9522938f90cc239769620d06fc8cdd679f71ea497be3e18b34ec0cfceaaf02f6
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++GOBBLES+SECURITY+RESEARCH+TEAM+INCORPORATED+++++++++++++++++
ALERT! ALERT! BERKELEY FINGER VULNERABILITY! ALERT! ALERT!
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This is NOT Robert Morris gets() bug!
#include "/tmp/.admin_files/trash/about_us.h"
GOBBLES LABS was pioneered in year 2001 to address security threat to
public. We will become renowned for our bleeding edge technology and method
of giving software full-fledged battery of attack to find weakness and make
this weaknesses known to public sector (not disk sector hehehe) so problem
may be fixed in reliable manner. We invent several fuzz testing tool for
remote daemon and we thus are able to stress test application for security.
GOBBLES LABS uses proprietary artificial intelligence tool to aid in
enumeration of remote host banner and then able to identify flaw through new
operating system TCP/IP stack fingerprint by measuring delayed
acknowledgement behaviour, thus being able to ratify system information by
referencing a table of TCP slow start and fast retransmit behaviour. GOBBLES
be adding patches to nmap security tool to show this method of identifying
system like Solaris, IRIX, SCSI, Linux, *BSD, etc. etc.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
"To be or not to exist, were the great green grass exhumed by the twilight
hour mystique" -- Gobbles Poetry, 2000
PRODUCT
*******
program: Berkeley finger.cgi
website: http://www.csua.berkeley.edu/cgi-bin/finger?source
BACKGROUND
**********
Inspired by recent ingenius Bugtraq post entitled "How to use Google to find
confidential informations," GOBBLES team begin question prospects in finding
exploitable conditions in scripts return by google search machine. First
GOBBLES did search like "allinurl:cgi-bin/finger" and find source offered by
berkeley.edu in public domain. Source promise security but this promise
broken because airhead programmer did not use common sense but instead use
shoes too much (everyone remember pine holes?!?! not shoes used that time
but too much cereal heheheeee).
Programmer claim security with Perl comment:
#########################################################
# check for some loozer trying to run a different process
#########################################################
This obnoxious attitude not buy security though. Programmer who not fully
understand /bin/sh -c nuance should not get programming as hobby at all.
Ok, so for this audit we going to use vi editor because it offer flexibility
in locate precise vulnerability. So we have our tools and that's important
because we have to have tool.
"Important to relax and just let source code speak to soul." -- Anonymous
TECHNICAL DETAILS
*****************
Here is the working spotlight portion of code:
#########################################################
# check for some loozer trying to run a different process
#########################################################
if ($dest =~ /;|>||\||&/) {
print <<EOH;
<H1>Forget it, bum!</H1>
<P>Either you made a big typo, or you're trying something funny with
the system.
</BODY></HTML>
EOH
exit(0);
}
###############
# do the finger
###############
if ($dest) {
if ($xpid = open(FINGER,"$finger $dest |")) {
print "<PRE>", <FINGER>, "</PRE>";
close(FINGER);
}
else {
print <<EOH;
<P>There was an error during the finger process.</P>
EOH
}
}
Ok, so we immediately see questionable open() call and notice $dest scalar
come from user input. But programmer try best to strip out metacharacter. HE
WRONG. HE DID NOT THINK ABOUT NEWLINE!!!! WHAT MATTER WITH DENSE PEOPLE
THESE DAYS???? Nobody learn from phf hole???? GOBBLES find this poor
education in public very disturbing and hope that "necessary evil" stated by
aleph1 will help berkeley.edu fix their security.
DEMONSTRATION
*************
In order to prevent malicious attacker from using this hole, GOBBLES has
taken obscurity measures to protect an innocent host from being cracked.
Thus, the vulnerable host has been replaced with domain host.com below.
http://www.host.com/cgi-bin/finger?dest=x%0aid
EXPLOIT
*******
This bug can be exploited with Unicode / CGI Decode exploit from Microsoft
called Internet Explorer.
VENDOR NOTIFICATION
*******************
Domain Name: BERKELEY.EDU
Administrative Contact, Technical Contact, Billing Contact:
University of California, Berkeley (UCB-NOC) noc@NAK.BERKELEY.EDU
Communication and Network Services
283 Evans Hall #3806
Berkeley, CA 94720-3806
USA
1-510-643-3267
root@berkeley.edu and noc@nak.berkeley.edu contacted with vulnerability
information and fix suggestion.
GREETS
******
dianora -- where would we be without you? You instilled in GOBBLES security
importance of clearly documenting "return 0;" behavior in big, robust code
like hybrid-6. GOBBLES knows numeric misuse issues in hybrid-6 but will keep
them quiet for now until we able to develop patch and stop irc warrior
abusing issue with exploit created by GOBBLES hacking team who help security
industry to stop other hackers getting in. That important trend today:
hackers working with security industry to stop hackers getting in is logical
progression from stage magician telling the audience how the trick is done.
It is sensible and people should not be criticized for this.
tsk, snow, carolyn meinel, john vranesevich, steve gibson, kimble, emmanuel
goldstein, box.sk, @stake, securityfocus, blackhat.com, defcon.org,
2600.com, #phrack@efnet, #hackphreak@undernet, bugtraq (thanks aleph1 and
david ahmad for devoting your time to a great list), ntbugtraq (russel the
love muscle ;D), cert.org, paul vixie, vesselin bontchev, reese witherspoon,
kirstin dunst, katie holmes, aleister crowley, manly p hall, franz bardon,
dennis ritchie, nietzsche, w. richard stevens, and all our friends and
family.
GOBBLES SECURITY
http://www.bugtraq.org/