[11897] in bugtraq
Re: CGI security
daemon@ATHENA.MIT.EDU (Vladimir Dubrovin)
Tue Sep 14 19:40:21 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3524.990914@sandy.ru>
Date: Tue, 14 Sep 1999 12:34:56 +0400
Reply-To: Vladimir Dubrovin <vlad@sandy.ru>
From: Vladimir Dubrovin <vlad@SANDY.RU>
X-To: Ivo van der Wijk <ivo@KOPJE.KOFFIE.NU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19990913104942.J22166@kopje.koffie.nu>
Hello Ivo van der Wijk,
13.09.99 12:49, you wrote: CGI security;
I> On Sun, Sep 12, 1999 at 09:57:35AM -0500, Kerb wrote:
>> I just read most of the Phrack article about CGI security, and it made me
>> wonder about another possible exploit.
>> You'll have to correct me if I am wrong, as I am not real familiar with C, but
>> would it be possible to throw an EOF
>> character into a string? Maybe a query string? Now that doesnt sound all that
>> great as is, but if you think about it,
>> URL's are logged into the web logs, and a lot of administrators either have a
>> program or just grep the access_log for
>> attempts to exploit CGI vulnerabilities (scanners, etc). Now this is where it
>> gets good. Would it be possible to
>> tack an EOF file into a query string on a normal request, even for a static
>> page (/index.html?EOF), then follow up
>> with an exploit? That way, if it works as I think it might, then when the log
>> file is checked, it finds that EOF character
>> and stops there, thinking it is the end of the file. That would effectively
>> cover your tracks. As a CGI programmer,
>> I'd appreciate any feedback.
>>
I> EOF characters don't exist (at least not on Un*x) - a file ends when all of its
Only if program has an error, something like
char c;
...
while( ( c = getchar() ) != EOF )
...
in this case uchar 255 will as EOF. Sometimes novices make errors
like this.
I> bytes have been read.
But there is EOL character ('\0'.). If you will use something like
"/index.html?%00xxxxxxxxxxxxxxxxx" xxxxxxxxxxxxxxxxx propably will not
appear in any logs at all.
This can be used to hide some attacks - then GET method is used null
characters are passed to stdin. In this case all arguments with null
characters will be correctly processed unless program doesn't uses
str*() routins to process arguments.
I can imagine few situation where this can cause new buffer overflows
(for example script uses strlen() to allocate memory space for
argument, but uses memcpy() with len counted from stdin to copy
argument itself) but i don't think you can meet it in real life.
+=-=-=-=-=-=-=-=-=+
|Vladimir Dubrovin|
=+=-=-=-=-=-=-=-=-=+=-=
