Bugtraq mailing list archives
Re: Poll It v2.0 cgi (again)
From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Date: Mon, 23 Oct 2000 15:55:20 -0700
OK. I got a copy of the 2.0 code. I haven't set up the cgi but from a short review this is what I think its happening: http://www.example.com/<cgi-dir>/pollit.cgi?admin_password=foo&entered_password=foo&action=add_option&add_option=1&=poll_options=echo+0wned>/tmp/hacked| Basically there is a single call to open in Poll It v2.0 that is vulnerable to a pipe attack. Its the call in line 94: open(COPTIONS,"$poll_options"); Notice that the filename is not preceded by either "<", ">", or ">>" which means if we can control the contents of the variable $poll_options we can make the open call execute a shell command by appending or prepending a "|" character to it. This part of the code implements the administrative functions. It can only be reached if the variable $admin_password is equal to the variable $entered_password, if the variable $action is equal to the string "add_option" and if the variable $add_option is defined. The variable $admin_password is set in the source code of the script. The variable $entered_password is taken from the CGI variables. So are the $action and $add_option variables. The reason we can bypass all this and control $poll_options is because in version 2.0 of the script the CGI variables are converted into Perl variables by the function ReadForm. This function is called in version 2.0 after the other script variables are defined. This means we can overwrite the internal Perl variables by passing appropriate CGI variables. Version 2.01 of the script fixes this problem by calling ReadForm before defining some variables. So we can't overwrite poll_options. That being said the fix still leaves several variables vulnerable (they are defined before the call to ReadForm). In particular the $admin_password variable is defined before the call to ReadForm. That means an attacker can access the administration screen of Poll It without knowing the password by using the URL such: http://www.example.com/<cgi dir>/pollit.cgi?load=admin&entered_password=foo&admin_password=foo To fix this problem mode the call to ReadForm before any variables are declared (e.g. line 15). Furthermore, the installation script instructs users to create a directory under the directory were you are installing the Poll It CGI, called pollit_files, to store data files. These files are easily readable. One file may be of a sensitive nature. The pollit_files/ips.txt file lists the IP addresses of people that have voted in the poll. Such information may be considered private and sensitive by individuals participating in the poll. It can be downloaded via the URL: http://www.example.com/<dir of pollit cgi>/pollit_files/ips.txt At least you can't tell who voted for what. The cgi directory name and the directory name of the poll it cgi may change from site to site. Finally the web site www.cgi-world.com still lists the Poll It version as 2.0. The download file name and documentation all have the 2.0 version number. Only the source file lists a version number of 2.01. No where are there any warnings about the vulnerability in version 2.0 or messages encouraging users of 2.0 to upgrade to 2.01 for security reasons. In all the program was written with little attentions paid to security. The author did not seems to understand the ramifications of declaring CGI variables as Perl variables, and the previous fix was incomplete. I would not recommend anyone to run this CGI script in any security sensitive environment. * ChrisGunso () aol com (ChrisGunso () aol com) [001022 21:09]:
Elias, I understand that, in July, Adrian Daminato was given credit for reporting a bug with the Poll It cgi script (available from cgi-world) that allowed for accessing of world readable files (ie \etc\passwd). Currently people are defacing web pages using a variation of the Poll It vulnerability. A quick look at the archive of defaced sites at http://www.attrition.org/mirror/attrition/ will show a fair amount use the script (specifically those defaced by "Havoc Korp"). Anti-AOL.com, who was using the script and was subsequently defaced, posted a portion of thier log so that others could at least get a handle of what was happening. It's not accessible from their site anymore but I mirrored it at http://members.aol.com/chrisgunso/log.txt You'll notice that there was code executed by the vote.cgi script (Poll_It_v2.0.cgi by default) that has been "snipped". I think it uses a POST command to rewrite the index.shtml file but I just can't duplicate it. Do you see how it's accomplished off hand? Foremost, I'd hope that this discussion is used to prevent the vulnerability from further being utilized. Secondly, I'm going crazy trying to figure it out myself. If you see how it's accomlished and it doesn't immediately get to BugTraq, do you mind sharing it with me so my mind can finally get some rest? Cheers, Chris
-- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
Current thread:
- Re: Poll It v2.0 cgi (again) Elias Levy (Oct 24)