Gast Arbeiter Privilege Escalation

To: bugtraq@xxxxxxxxxxxxxxxxx, vuln-dev@xxxxxxxxxxxxxxxxx, vulnwatch@xxxxxxxxxxxxx
Subject: Gast Arbeiter Privilege Escalation
From: <natok@xxxxxxxx>
Date: Mon, 20 Oct 2003 15:07:37 -0700
Cc:
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ------------------------------------------------------------
NATOK security labs                            natok at hush.com
October 20st, 2003                          Privilege Escalation
- - - ------------------------------------------------------------

- - - Overview

  Software      : Gast Arbeiter <= 1.3
  Vendor        : Petr Bartels <petr.bartels@xxxxxxx>
  Vulnerability : Privilege Escalation
  Status        : Author has been notified
  Type          : Remote

- - - Description

   NATOK security labs discovered a security hole in the instant
   messaging tool Gast Arbeiter written by the polnish software
   engineer Petr Bartels.

   By sending a special crafted message we are able to write to
   any file which may lead to privilege escalation.

- - - Probleme Description

   Gast Arbeiter is an instant messaging tool written in Perl
   that allows people from all around the world to chat with
   each other. The project is maintained by Peter Bartels.

   According to the official website the software has been
   downloaded over five thousand times.

   Gast Arbeiter includes a feature to upload individual files
   via a CGI interface. Due to insufficient checkings we are
   able to write to any file.

- - - Technical Description

   The following vulnerability is present in Gastarbeiter < 1.3

   # Fetching Cgi Params
   $exch_file = "$DATA_DIR/incoming/" . $cgi->param('req_file');

   # Writing Data
   open(FH, "> $exch_file") or die("can't write file: $!");
   print FH $cgi->param('body');
   close(FH);

   This vulnerability allows the attacker to write any file on
   the remote host.

- - - Exploit

   No Public Exploit. Please contact me to get your version.

- - - Patch

   Please change the source code:

   $tmp = $cgi->param('req_file');
   $tmp =~ s/\.\.//g;

   $exch_file = "$DATA_DIR/incoming/" . $tmp;

- - - Greets

   ... to the Legion of Dotness - my Family!
   ... to Gadu Gadu - my Religion!
   ... to Poland - my Country!

    ________________________________
   /                                /|
  /--------------------------------/ |
  |  ##  # #### #####  ##  # #     | |
  |  # # # #  #   #   #  # ##      | |
  |  #  ## ####   #   #  # # #     | |
  |  #   # #  #   #    ##  #  #    | |
  |________________________________|/

    contact: r00t@xxxxxxxx


-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj+UXKoACgkQK+B0NVtqTQPnuQCfZk3AH/RqTxtjb78jqUDfZ9DuYHcA
n1mZlv2gYgTAj8qGn+acsyhZDh8m
=xcue
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Prev by Date: Cross Site Java applets
Next by Date: RE: IE remote code execution
Previous by thread: Cross Site Java applets
Next by thread: Immunix Secured OS 7+ fetchmail update
Index(es):
- Date
- Thread