[630] in linux-security and linux-alert archive
[linux-security] NCSA httpd cgi-bin application vulnerability.
daemon@ATHENA.MIT.EDU (Jeff Uphoff)
Fri Mar 8 05:04:05 1996
Date: Fri, 8 Mar 1996 03:15:51 -0500
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
To: linux-alert@tarsier.cv.nrao.edu, linux-security@tarsier.cv.nrao.edu
CC: bugtraq@crimelab.com
If you are running NCSA's httpd WWW server (or, conceivably, someone
else's), have compiled the phf.c application found in the NCSA
distribution's cgi-src directory, and have installed it into an area
designated for cgi-bin applications, please 'chmod a-x' it immediately.
(This applies to *at least* the phf.c application as provided with NCSA
httpd versions 1.3 and 1.5a-export; I've not inspected the other
distributions yet.)
Many sites (I've looked around a bit and have had a hit rate of roughly
50% so far, but maybe I'm just "lucky")--including the top-level WWW
servers for some large and/or very high-profile domains--appear to have
"blindly" installed all of the cgi-src applications provided with NCSA's
httpd. The most notable aspect of this particular cgi-bin
vulnerability, at least to me, is not so much the vulnerability itself
(it's been seen before) but rather its quite widespread nature.
This vulnerability allows a remote client to retrieve any world-readable
file from the server system, as well as execute commands and create
files on the server with the privileges of the euid of the httpd server
process.
Depending on the server's (mis)configuration, this could conceivably be
used as an avenue through which to replace the httpd server binary
itself with a trojan--quite possibly to be run as root during the
system's next boot cycle. It can also be used, largely independent of
the server system's configuration--and rather easily--to gain remote
interactive access to the server with the userid that the httpd server
runs under. (I'm sure there are lots of other "nifty" possibilities,
but I first found out about this a just few waking hours ago and have so
far performed only the most basic proof-of-concept exploits.)
More details (full disclosure, etc.) to follow on the linux-security
list and on Bugtraq....
--Up.
P.S. I'll bet everyone just can't wait for Java!
--
Jeff Uphoff - systems/network admin. | juphoff@nrao.edu
National Radio Astronomy Observatory | juphoff@bofh.org.uk
Charlottesville, VA, USA | jeff.uphoff@linux.org
PGP key available at: http://www.cv.nrao.edu/~juphoff/
