Bugtraq mailing list archives
Bug in SGI's /cgi-bin/handler
From: drazvan () kappa ro (Razvan Dragomirescu)
Date: Sun, 15 Jun 1997 00:49:50 +0300
Hi, A few weeks ago Yuri posted a message on a security bug in "wrap", a cgi-bin found on most unprotected IRIX systems. As I explored it, I found that /cgi-bin/handler is exploitable too. It is a small perl program that allows (in theory) to read and download files under the system's root directory. In fact it allows you to execute any command remotely on the target machine. Here's how it works. "handler" reads PATH_INFO from the environment and then concatenates it with a default "root directory" (let's say /var/www/htdocs). It then runs a "validity check" on the result. But it only checks for ".." not for other potential offensive special chars. It then uses "open (INPUT, $doc)" where $doc is the result of the concatenation. If you're familiar with PERL you know that if a '|' character follows the filename, perl will treat that filename as a command. It runs it and gives you STDOUT. The way to exploit this "feature" for cgi-bin/handler is: telnet target.machine.com 80 GET /cgi-bin/handler/useless_shit;cat /etc/passwd|?data=Download HTTP/1.0 Note that you have to use a TAB character after cat, not a space because the shell will accept it as a separator and it won't confuse the HTTP server. You can't use the %xx format (%20) because the script doesn't do any parsing (So you will not be able to give command that contain spaces). Of course, you can use any other command instead of "cat" but remember NOT to use spaces, just tabs. The server will display an error saying that it couldn't open "useless_shit" but it will continue anyway and execute your command. I tested it on two Indy machines with IRIX 6.2. I would appreciate any feedback from you. And also, I think this kind of approach makes cgi-bin's written in perl more vulnerable. That is any script that does not strip special characters (not only dots, but also | and ; ) and uses "open" commands on files read from user input can be attacked. Most of the cgi-bin's I've seen do only a rudimentary check for "double-dots" and then declare the URL "sane". If you find any other programs vulnerable to this kind of attack please contact me (or even better, post them on BUGTRAQ). Be good. Razvan ------------------------------------------------------------------------------- Razvan Dragomirescu Organization: KappaNet & Government of Romania - Public Information Dept. E-Mail: drazvan () kappa ro, drazvan () romania ro Alternate E-mail: drazvan () iname com, drazvan () guv ro, drazvan () pub ro, drazvan () lbi ro Phone: +40-1-6866621 NIC-HANDLE: RD1604 RIPE-HANDLE: RD38-RIPE "Smile, tomorrow will be worse" (Murphy) -------------------------------------------------------------------------------
Current thread:
- Denial of service (qmail-smtpd), (continued)
- Denial of service (qmail-smtpd) Frank DENIS -Jedi/Sector One- (Jun 11)
- qmail-dos-2.c, another denial of service attack Frank DENIS -Jedi/Sector One- (Jun 11)
- DNS abuse Jordi Murgo (Jun 11)
- Solaris x86 buffer overflows jim bresler (Jun 12)
- CERT Advisory CA-97.18 - Vulnerability in the at(1) program Aleph One (Jun 12)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Rick Byers (Jun 12)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program The Nolander (Jun 12)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Thomas Koenig (Jun 14)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Adam Morrison (Jun 15)
- Netscape Exploit root (Jun 14)
- Bug in SGI's /cgi-bin/handler Razvan Dragomirescu (Jun 14)
- Re: Bug in SGI's /cgi-bin/handler Yaron Yanay (Jun 15)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Rick Byers (Jun 12)
- sendmail 8.8.6 released Eric Allman (Jun 14)
- Re: Netscape Exploit Roger Espel Llima (Jun 14)
- Re: Netscape Exploit Micah Brandon (Jun 14)
- Re: Netscape Exploit Manoj Kasichainula (Jun 15)
- rshd gives away usernames David Holland (Jun 13)
- Re: rshd gives away usernames Erik Troan (Jun 13)
- Re: rshd gives away usernames Eric (Jun 13)
- Re: rshd gives away usernames Todd C. Miller (Jun 13)
- Re: rshd gives away usernames Alan Brown (Jun 14)