Trouble Ticket Express Exploit in the Wild a Day After the Vulnerability Announcement

Published: 2010-03-16
Last Updated: 2010-03-16 14:11:19 UTC
by Lenny Zeltser (Version: 1)
1 comment(s)

The time between the announcement of a vulnerability and seeing the exploit in the wild is short, especially if the announcement includes proof-of-concept code. A day ago, a proof-of-concept exploit in Trouble Ticket Express help desk software was made public. Just a day later, ISC reader Ben saw the exploit in the wild:

64.15.159.171 - - [15/Mar/2010:18:42:23 -0700] "GET /ttx.cgi?cmd=file&fn=%7C%65%63%68%6F%20%2D%6E%20%62%75%66%75%77%75%7A%68%65%72%3B%65%63%68%6F%20%65%7C HTTP/1.1" 403 960 "-" "Plesk"

The decoded version of this particular URI is:

/ttx.cgi?cmd=file&fn=|echo%20-n%20bufuwuzher;echo%20e|

The targeted vulnerability in the application could allow the attacker to execute arbitrary code on the system.

If you are running Trouble Ticket Express version 3.01 or lower, update the program's File Module or disable access to the TTXFile.pm module on your server.

 -- Lenny

Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS Institute. You can find him on Twitter.

Keywords:
1 comment(s)

Comments

This parameter also works on 3.01 & 3.0
ttx.cgi?cmd=img&fid=|whoami|

Diary Archives