Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Trouble Ticket Express Exploit in the Wild a Day After the Vulnerability Announcement - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Trouble Ticket Express Exploit in the Wild a Day After the Vulnerability Announcement

The time between the announcement of a vulnerability and seeing the exploit in the wild is short, especially if the announcement includes proof-of-concept code. A day ago, a proof-of-concept exploit in Trouble Ticket Express help desk software was made public. Just a day later, ISC reader Ben saw the exploit in the wild:

64.15.159.171 - - [15/Mar/2010:18:42:23 -0700] "GET /ttx.cgi?cmd=file&fn=%7C%65%63%68%6F%20%2D%6E%20%62%75%66%75%77%75%7A%68%65%72%3B%65%63%68%6F%20%65%7C HTTP/1.1" 403 960 "-" "Plesk"

The decoded version of this particular URI is:

/ttx.cgi?cmd=file&fn=|echo%20-n%20bufuwuzher;echo%20e|

The targeted vulnerability in the application could allow the attacker to execute arbitrary code on the system.

If you are running Trouble Ticket Express version 3.01 or lower, update the program's File Module or disable access to the TTXFile.pm module on your server.

 -- Lenny

Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS Institute. You can find him on Twitter.

Lenny

216 Posts
ISC Handler
This parameter also works on 3.01 & 3.0
ttx.cgi?cmd=img&fid=|whoami|
Anonymous

Sign Up for Free or Log In to start participating in the conversation!