Re: Poll It v2.0 cgi (again)

[Elias Levy <aleph1 () SECURITYFOCUS COM>]

OK. I got a copy of the 2.0 code. I haven't set up the cgi but from a short
review this is what I think its happening:

http://www.example.com/<cgi-dir>/pollit.cgi?admin_password=foo&entered_password=foo&action=add_option&add_option=1&=poll_options=echo+0wned>/tmp/hacked|

Basically there is a single call to open in Poll It v2.0 that is vulnerable
to a pipe attack. Its the call in line 94:

        open(COPTIONS,"$poll_options");

Notice that the filename is not preceded by either "<", ">", or ">>" which
means if we can control the contents of the variable $poll_options we
can make the open call execute a shell command by appending or prepending
a "|" character to it.

This part of the code implements the administrative functions. It can
only be reached if the variable $admin_password is equal to the variable
$entered_password, if the variable $action is equal to the string
"add_option" and if the variable $add_option is defined.

The variable $admin_password is set in the source code of the script.
The variable $entered_password is taken from the CGI variables. So are
the $action and $add_option variables.

The reason we can bypass all this and control $poll_options is because
in version 2.0 of the script the CGI variables are converted into
Perl variables by the function ReadForm. This function is called in
version 2.0 after the other script variables are defined. This means
we can overwrite the internal Perl variables by passing appropriate
CGI variables.

Version 2.01 of the script fixes this problem by calling ReadForm
before defining some variables. So we can't overwrite poll_options.

That being said the fix still leaves several variables vulnerable
(they are defined before the call to ReadForm). In particular the
$admin_password variable is defined before the call to ReadForm.
That means an attacker can access the administration screen of
Poll It without knowing the password by using the URL such:

http://www.example.com/<cgi dir>/pollit.cgi?load=admin&entered_password=foo&admin_password=foo

To fix this problem mode the call to ReadForm before any variables are
declared (e.g. line 15).

Furthermore, the installation script instructs users to create a
directory under the directory were you are installing the Poll It
CGI, called pollit_files, to store data files. These files are easily
readable. One file may be of a sensitive nature. The pollit_files/ips.txt
file lists the IP addresses of people that have voted in the poll.
Such information may be considered private and sensitive by individuals
participating in the poll. It can be downloaded via the URL:

http://www.example.com/<dir of pollit cgi>/pollit_files/ips.txt

At least you can't tell who voted for what.

The cgi directory name and the directory name of the poll it cgi may
change from site to site.

Finally the web site www.cgi-world.com still lists the Poll It version
as 2.0. The download file name and documentation all have the 2.0 version
number. Only the source file lists a version number of 2.01. No where
are there any warnings about the vulnerability in version 2.0 or messages
encouraging users of 2.0 to upgrade to 2.01 for security reasons.

In all the program was written with little attentions paid to security.
The author did not seems to understand the ramifications of declaring
CGI variables as Perl variables, and the previous fix was incomplete.
I would not recommend anyone to run this CGI script in any security
sensitive environment.

* ChrisGunso () aol com (ChrisGunso () aol com) [001022 21:09]:
> Elias,
>
> I understand that, in July, Adrian Daminato was given credit for reporting a
> bug with the Poll It cgi script (available from cgi-world) that allowed for
> accessing of world readable files (ie \etc\passwd).
>
> Currently people are defacing web pages using a variation of the Poll It
> vulnerability.  A quick look at the archive of defaced sites at
> http://www.attrition.org/mirror/attrition/ will show a fair amount use the
> script (specifically those defaced by "Havoc Korp").  Anti-AOL.com, who was
> using the script and was subsequently defaced, posted a portion of thier log
> so that others could at least get a handle of what was happening.  It's not
> accessible from their site anymore but I mirrored it at
> http://members.aol.com/chrisgunso/log.txt
>
> You'll notice that there was code executed by the vote.cgi script
> (Poll_It_v2.0.cgi by default) that has been "snipped".  I think it uses a
> POST command to rewrite the index.shtml file but I just can't duplicate it.
> Do you see how it's accomplished off hand?
>
> Foremost, I'd hope that this discussion is used to prevent the vulnerability
> from further being utilized.  Secondly, I'm going crazy trying to figure it
> out myself.  If you see how it's accomlished and it doesn't immediately get
> to BugTraq, do you mind sharing it with me so my mind can finally get some
> rest?
>
> Cheers,
> Chris

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum