[14298] in bugtraq
abuse.man (webmanager kit)
daemon@ATHENA.MIT.EDU (Guido Bakker)
Thu Mar 16 19:53:12 2000
Content-Type: text/plain
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <00031509280500.08741@guidob>
Date: Wed, 15 Mar 2000 09:26:15 +0100
Reply-To: Guido Bakker <guidob@MAINNET.NL>
From: Guido Bakker <guidob@MAINNET.NL>
X-To: BugTraq <bugtraq@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Vulnerable CGI : abuse.man (webmanager kit)
Platform : UNIX/Linux
Impact : Users can execute arbitary commands on the server leading to root compromise.
Found by : dethy (deth@synnergy.net)
Sample Exploit : dvorak (dvorak@synnergy.net)
Date : 09 February 2000
What is abuse.man?
__________________
Perl-CGI script to direct the client to the specified homepage,
allowing vhosts to be administrated with ease through the use
of this webmanager kit.
Vulnerability:
______________
A serious security problem was discovered on the manufacturers
webserver that allowed remote and local users to execute arbitary
commands on the webserver as the uid of the httpd. Thus, with
a carefully constructed url, an attacker could potentially exploit
this cgi leading to a root compromise.
Exploit:
________
abuse.man used the following absolute path as the url to bring
up the base page.
http://server.com/file=/disk1/e/domain/public_html/index.html&
domain=hostname.com&script=/index.html
As we can see, $file shows the actual server side directory that
the cgi and index page resides in. The $domain has been modified
for security purposes, but this variable displays the vhost name.
The $script variable opens the default home page html file.
Hence, by modifying the $file variable we could then be allowed
to view or execute commands as the httpd.
Eg: file=/disk1/e/domain/public_html/../../../../../../etc/hosts&
Now by a carefully constructed url, we are able to pipe arbitary
commands to the server, since this cgi is perl based:
Eg: file=/disk1/e/domain/public_html/../../../../../../bin/ls+/|&
The contents of the root directory were thus displayed.
Solution:
_________
An email was sent to the manufacturers website regarding this bug
in detail, with information of how to fix the problem.
By patching the abuse.man cgi, the webmaster could verify all user
input and use relative links rather than absolute paths to avoid this
potential exploitation.
