AnyForm脚本远程可执行任意命令漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105243 漏洞类型 输入验证
发布时间 1995-07-31 更新时间 2006-11-16
CVE编号 CVE-1999-0066 CNNVD-ID CNNVD-199507-001
漏洞平台 Linux CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/19557
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199507-001
|漏洞详情
AnyForm是一个利用简单表单发送Email的CGI脚本,由JohnRoberts编写。AnyForm版本2(AnyForm2)实现上存在输入验证漏洞,远程攻击者可以利用此漏洞在主机上以Web进程的权限执行任意命令。AnyForm未经检查就把从表单得到的用户输入传递给SYSTEM系统调用,远程攻击者可能在输入中插入";"等转义字符而执行任意命令。<**>
|漏洞EXP
source: http://www.securityfocus.com/bid/719/info

AnyForm is a popular form CGI designed to support simple forms that deliver responses via email. Certain versions of AnyForm did not perform user supplied data sanity checking and could be exploited by remote intruders to execute arbitrary commands. These commands were issued as the UID which the web server runs as, typically 'nobody'. 

Exploit as taken from the original post on this issue:

To exploit, create a form with a hidden field something like this:

<input type="hidden" name="AnyFormTo" value="foo@bar.com;command-to-execute
with whatever arguments;/usr/lib/sendmail -t foo@bar.com ">

Then submit the form to the "AnyForm" CGI on the server to be attacked.
The value of this parameter is passed to this code:

SystemCommand="/usr/lib/sendmail -t " + AnyFormTo + " <" + CombinedFileName;
system(SystemCommand);

Since system invokes a shell, the semicolons are treated as command
delimeters and anything can be inserted
|参考资料

来源:BID
名称:719
链接:http://www.securityfocus.com/bid/719