Security Advisory: HTTP/CGI Script Exploit

[jrichard () fix net (Josh Richards)]

-----BEGIN PGP SIGNED MESSAGE-----

================================================================================

                               The DataHaven Project
                            ____ SECURITY ADVISORY ____

                                <jrichard () fix net>
                                 10 December 1996
                              Revised: 11 December 1996
================================================================================

Program(s): nph-test-cgi (a commonly installed sample CGI script)

Problems: Anyone can remotely view your filesystems via the web.

Extent/Severity: Majority of UNIX based Internet World Wide Web servers
                 come with this CGI script installed by default and are
                 currently exploitable.

Date: 10 December 1996

Author: jrichard () fix net (Josh Richards)

Description:

A security hole exists in the nph-test-cgi script included in most UNIX
based World Wide Web daemon distributions.  The nph-* scripts exist to
allow 'non-parsed headers' to be sent via the HTTP protocol (this is not
the cause of this security problem, though).  The problem is that
nph-test-cgi, which prints out information on the current web environment
(just like 'test-cgi' does) does not enclose its arguments to the 'echo'
command inside of quotes....shell escapes are not possible (or at least I
have not found them to be--yet) but shell *expansion* is....  This means
that _any_ remote user can easily browse your filesystem via the WWW.

This is a bug with the nph-test-cgi script and _not_ the server itself.


Versions: (These versions include the problem script in the distribution)

[PLEASE NOTE: These are only the ones that I have access to and could test
out and verify.--JR]

NCSA HTTP 1.3, 1.4, 1.4.1, 1.4.2, 1.5.1, 1.5.2, 1,5.2a
Apache HTTP 0.8.11, 0.8.14, 1.0.0, 1.0.2, 1.0.3, 1.0.5, 1.1.0
    Please note that the latest versions 1.1.1 and 1.2b2 or higher do
    *not* include the script as part of the distribution but if you
    upgrade from an earlier version (or NCSA HTTP) then the script _may_
    still be installed on your server from a previous distribution.
Apache-SSL HTTP 1.0.5
    1.1.1 (see Apache notes above)
StrongHold 1.3.2 (basically Apache 1.1.1 + SSL extensions)
Netscape
   Communications 1.1, 1.12
   Enterprise 2.0a
   Commerce 1.12
BESTWWWD 1.0
Microsoft
   [Status is unknown--I have no servers to test this on.--JR]


Exploit:

Enter the URL: <http://yourwebserver.com/cgi-bin/nph-test-cgi?*>

Replace <yourwebserver.com> with the hostname of a server running a web
daemon near you.

[Please note that the asterisk ('*') on the end of the URL is very
important.]

Now look very closely look at the line beginning with "QUERY_STRING".
Does it look familiar to you?  It should (if it doesn't you should really
spend a little more time looking at what is installed on your system).

Similar URL's such as <http://yourwebserver.com/cgi-bin/nph-test-cgi?/*>
will allow users to transverse the filesystem and view the contents of
other directories on your server.


History:

A similar bug was reported in a L0pht advisory (from mudge () l0pht com) in
April 1996 with another (very similar) cgi script ('test-cgi') and it was
subsequently fixed in by most of the major distributions. See
<URL:http://www.l0pht.com/advisories/test-cgi-vulnerability> for more
information.


Fix:

Type 'chmod 700 nph-test-cgi' at your nearest shell prompt (as superuser).

:-)

If it is neccessary to have the script accessible (I don't know why it
would be though) then a a quick fix is to put quotes around all parameters
to 'echo':

echo QUERY_STRING = $QUERY_STRING

This would become

echo "QUERY_STRING = $QUERY_STRING"

A longer term fix is to disable shell 'globbing' completely.  This can be
accomplished by using the '-f' (or 'set -f')  parameter if you are using a
bourne derived shell.


Prevention:

Apply the above suggested fixes.  Watch your server's access_logs' for any
accesses to "/cgi-bin/nph-test-cgi" by doing a grep for "nph-test-cgi".


Notes:

There are _many_ CGI scripts written (I am guilty of writing them myself)
that do not check the input environment/variables enough.  Please check
your quickly-hacked-together-just-to-get-the-job-done shell scripts
carefully. UNIX can be powerful--too powerful for its (our?) own good
sometimes..


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMq8ZR2m9zE6XY0w5AQG0lAQAmhBTOXUTCH+W3gSC8YKE9vszTUNW8n7D
/Pu3AhCpOgq94tmju0q1+u9sKlhQFNnE75b8CrRS5nQBqjS6uQhdcEvmwcuk9oxt
EcBtS5fv00RuBr0iZLXQzJCSSpgLN6z36IUQi4xUy1KTTRgzV6h+JIxN0pc8x5/t
vbHUssSOoOc=
=oWXn
-----END PGP SIGNATURE-----


|   Josh Richards -- Network Admin/Tech Support @ ***The FIX Network***     |
|   <jrichard () FIX Net> <jrichard () Freedom Gen Ca Us> <jrichard () Slonet Org>   |
| <http://www.freedom.gen.ca.us/jrichard/>            Finger for my PGP Key |
|  - '"Anonymity is bad," says a source who wishes to remain anonymous.' -  |