Wednesday, 24 April 2013


When you see that a bug in a Wiki engine used by Python and Debian gets published and got used to own them, you know that there is something interesting to look at...

This bug is a really simple directory traversal that you can use to write an arbitrary file on the system. The beauty of it is its exploitation (based on an exploit found on pastebin), the exploit bypasses 5 restrictions:

  1. It's valid python code.
  2. It starts with  the string `drawing.`.
  3. It contains `def execute(p,r):` to be a valid MoinMoin plugin.
  4. It does not contain any dot (`.`)
  5. It is less than 100 characters (due to the tar format).

If you want to know more, check out our latest exercise on cve-2012-6081.


Anonymous said...

i have a little issue with this exercise:

where regex for ip validation is:
validates_format_of :ip, :with => /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/

is completely correct. $/ <- anything after $ character will be ignored.

i have to remove $ on end of this regex to be able to do command injection.

i am using iso for i386 if it can help anything.

thanks for the exercise.

Louis Nyffenegger said...

Did you add the end of line before putting your injection %0aINJECTION ?