Alibaba Web Server Exposes File System
Reported November 4, 1999 by Kerb
Using specially formed URL"s, a remote use can list, view, create, delete, and/or execute any file on the disk subsystem.
DEMONSTRATIONAccording to Kerb:
The URL http://www.victim.com/cgi-bin/get32.exe|echo%20>c:\command.com allowed me to overwrite the command.com file. No explanation necessary there. Also, I was able to echo machine code bytes into a file, so the possibility of a Trojan enters the picture. If they had FTP running, I guess it wouldn"t be much more than a trivial task to write a URL that copies the Trojan binary into the CGI directory and point your browser at the Trojan to execute it. Or even easier, just create a URL that will write the binary data of the Trojan into an EXE right in the CGI directory.The URL http://www.victim.com/cgi-bin/alibaba.pl|dir allowed me to have a directory listing of all files in CWD, which happens to be the CGI directory. This could be useful for a couple things. One, finding out the full path to the CGI directory, for using exploits such as the one listed before this one. Another would be to find files for overwriting (using the > operator) or executing. Another possible use would be to list all *.pwl in the windows directory. The URL http://www.victim.com/cgi-bin/tst.bat|type%20c:\windows\win.ini This URL allowed me to view the entire contents of the c:\windows\win.ini file. No explanation necessary there. I chose those 3 CGI"s (out of the 15 that came with my install) because they are of different types; an EXE, a PL, and a BAT. Basically the examples I used above are just ideas of what CAN be done.
VENDOR RESPONSEKerb did not notify Alibaba, citing that "this is freeware, so they "don"t offer any support" as I believe it was worded on their Web site."
Reported b Kerb
Posted here at NTSecurity.NET on November 4, 1999