Gast Arbeiter Privilege Escalation
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - - ------------------------------------------------------------
NATOK security labs natok at hush.com
October 20st, 2003 Privilege Escalation
- - - ------------------------------------------------------------
- - - Overview
Software : Gast Arbeiter <= 1.3
Vendor : Petr Bartels <petr.bartels@xxxxxxx>
Vulnerability : Privilege Escalation
Status : Author has been notified
Type : Remote
- - - Description
NATOK security labs discovered a security hole in the instant
messaging tool Gast Arbeiter written by the polnish software
engineer Petr Bartels.
By sending a special crafted message we are able to write to
any file which may lead to privilege escalation.
- - - Probleme Description
Gast Arbeiter is an instant messaging tool written in Perl
that allows people from all around the world to chat with
each other. The project is maintained by Peter Bartels.
According to the official website the software has been
downloaded over five thousand times.
Gast Arbeiter includes a feature to upload individual files
via a CGI interface. Due to insufficient checkings we are
able to write to any file.
- - - Technical Description
The following vulnerability is present in Gastarbeiter < 1.3
# Fetching Cgi Params
$exch_file = "$DATA_DIR/incoming/" . $cgi->param('req_file');
# Writing Data
open(FH, "> $exch_file") or die("can't write file: $!");
print FH $cgi->param('body');
close(FH);
This vulnerability allows the attacker to write any file on
the remote host.
- - - Exploit
No Public Exploit. Please contact me to get your version.
- - - Patch
Please change the source code:
$tmp = $cgi->param('req_file');
$tmp =~ s/\.\.//g;
$exch_file = "$DATA_DIR/incoming/" . $tmp;
- - - Greets
... to the Legion of Dotness - my Family!
... to Gadu Gadu - my Religion!
... to Poland - my Country!
________________________________
/ /|
/--------------------------------/ |
| ## # #### ##### ## # # | |
| # # # # # # # # ## | |
| # ## #### # # # # # | |
| # # # # # ## # # | |
|________________________________|/
contact: r00t@xxxxxxxx
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3
wkYEARECAAYFAj+UXKoACgkQK+B0NVtqTQPnuQCfZk3AH/RqTxtjb78jqUDfZ9DuYHcA
n1mZlv2gYgTAj8qGn+acsyhZDh8m
=xcue
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427