exploit the possibilities

SCANIT-2008-003.txt

SCANIT-2008-003.txt
Posted Jul 1, 2008
Authored by Rodrigo Rubira Branco, Filipe Balestra | Site scanit.net

Wordtrans versions 1.1pre15 and below suffer from a remote command execution vulnerability.

tags | advisory, remote
MD5 | 2dbe63c7f433939569f3b2bbd9396d7d

SCANIT-2008-003.txt

Change Mirror Download
Wordtrans-web Remote Command Execution Vulnerability
Scanit R&D Labs Security Advisory
http://www.scanit.net/rd/advisories/
Jun 30, 2008

Filename: SCANIT-2008-003.txt
SCANIT ID: SCANIT-2008-003
Published: June 30th, 2008


I. Summary

Wordtrans is a free front-end graphical application that allows you to
look for
words in several dictionaries. It can also translate the word that the
user
selects with his mouse.

The latest Wordtrans version could allow a remote attacker to execute
arbitrary
code in the server, caused by an input validation error in the
wordtrans-web
package, which is a PHP-based Web interface for Wordtrans.

II. Affected Products

This vulnerability affects the wordtrans 1.1pre15 and probably previous
versions.

III. Details

When sending a request without the variable "command" or with an
undefined
command and any word in the variable "word", the variable "link_options"
receives one argument from the user, passed with the "advanced" variable
using
the POST method. Then, the variable "link_options" is concatenated with
the
variable "exec_wordtrans". Since "exec_wordtrans" is passed to the
function
"passthru" without checking for special characters, we can send shell
characters
like | or ; to execute commands in the machine with privileges of the
Web server
process when the URL is submitted. This is part of vulnerable script
from
wordtrans 1.1pre15:

...
$exec_wordtrans = $wordtrans . "-d \"$dict\" ";

switch ($_GET['command']) {
...
default:
if ($_POST['word'] != "") {
if ($_POST['fullwords']) $exec_wordtrans .= " +w "; else
$exec_wordtrans .= " -w ";
if ($_POST['casesensitive']) $exec_wordtrans .= " +c "; else
$exec_wordtrans .= " -c ";
if ($_POST['invertir']) $exec_wordtrans .= " +i "; else
$exec_wordtrans .= " -i ";
if ($_POST['noacentos']) $exec_wordtrans .= " +g "; else
$exec_wordtrans .= " -g ";

$link_options = "--html-link-options \"?lang=
$lang_case&advanced=".$_POST['advanced']."&\" ";
$exec_wordtrans .= $link_options;

$exec_wordtrans .= "\"".$_POST['word']."\"";

passthru($exec_wordtrans);
...

To exploit this vulnerability, the "Magic Quotes" option needs to be
unset.
But since this option was removed from PHP since version 6.0.0, this is
a
critical vulnerability.

IV. Solution

No vendor response.

V. Timeline

March 10th, 2008 - Vulnerability discovery
March 24th, 2008 - First contact attempt
June 30th, 2008 - Advisory release

VI. Credits

This vulnerability was discovered by Scanit's researchers Filipe
Balestra
<filipe *noSPAM* scanit . net> and Rodrigo Rubira Branco (BSDaemon)
<rodrigo *noSPAM* scanit . net>.

VII. Contact

Scanit's R&D Labs represent Scanit's efforts in security research
activities.
By keeping track of the newest deffensive and offensive technologies,
Scanit's
researchers are able to contribute with unpublished works made in-house.
This
way, by driving the state-of-the-art in computer security, Scanit honors
its
commitment to stay in the front line of scientific evolution.

Reach us at research@scanit.net
Visit http://www.scanit.net

VIII. Disclaimer

The information contained in this document may change without notice.
Use of
this information constitutes acceptance for use in an "AS IS" condition.
There
are no warranties regarding the topicality, correctness, completeness or
quality of the information provided by this document. Under no
circumstances
shall the authors be held liable for any direct, indirect, or
consequential
damages, losses, injuries, or unlawful offences allegedly arising from
the use
of this information.


Copyright 2008 Scanit Middle East FZ/LLC

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    10 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    0 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close