[3784] in bugtraq
Security Advisory: HTTP/CGI Script Exploit
daemon@ATHENA.MIT.EDU (Josh Richards)
Thu Dec 12 01:22:43 1996
Date: Wed, 11 Dec 1996 18:22:25 -0800
Reply-To: Josh Richards <jrichard@fix.net>
From: Josh Richards <jrichard@fix.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
-----BEGIN PGP SIGNED MESSAGE-----
================================================================================
The DataHaven Project
____ SECURITY ADVISORY ____
<jrichard@fix.net>
10 December 1996
Revised: 11 December 1996
================================================================================
Program(s): nph-test-cgi (a commonly installed sample CGI script)
Problems: Anyone can remotely view your filesystems via the web.
Extent/Severity: Majority of UNIX based Internet World Wide Web servers
come with this CGI script installed by default and are
currently exploitable.
Date: 10 December 1996
Author: jrichard@fix.net (Josh Richards)
Description:
A security hole exists in the nph-test-cgi script included in most UNIX
based World Wide Web daemon distributions. The nph-* scripts exist to
allow 'non-parsed headers' to be sent via the HTTP protocol (this is not
the cause of this security problem, though). The problem is that
nph-test-cgi, which prints out information on the current web environment
(just like 'test-cgi' does) does not enclose its arguments to the 'echo'
command inside of quotes....shell escapes are not possible (or at least I
have not found them to be--yet) but shell *expansion* is.... This means
that _any_ remote user can easily browse your filesystem via the WWW.
This is a bug with the nph-test-cgi script and _not_ the server itself.
Versions: (These versions include the problem script in the distribution)
[PLEASE NOTE: These are only the ones that I have access to and could test
out and verify.--JR]
NCSA HTTP 1.3, 1.4, 1.4.1, 1.4.2, 1.5.1, 1.5.2, 1,5.2a
Apache HTTP 0.8.11, 0.8.14, 1.0.0, 1.0.2, 1.0.3, 1.0.5, 1.1.0
Please note that the latest versions 1.1.1 and 1.2b2 or higher do
*not* include the script as part of the distribution but if you
upgrade from an earlier version (or NCSA HTTP) then the script _may_
still be installed on your server from a previous distribution.
Apache-SSL HTTP 1.0.5
1.1.1 (see Apache notes above)
StrongHold 1.3.2 (basically Apache 1.1.1 + SSL extensions)
Netscape
Communications 1.1, 1.12
Enterprise 2.0a
Commerce 1.12
BESTWWWD 1.0
Microsoft
[Status is unknown--I have no servers to test this on.--JR]
Exploit:
Enter the URL: <http://yourwebserver.com/cgi-bin/nph-test-cgi?*>
Replace <yourwebserver.com> with the hostname of a server running a web
daemon near you.
[Please note that the asterisk ('*') on the end of the URL is very
important.]
Now look very closely look at the line beginning with "QUERY_STRING".
Does it look familiar to you? It should (if it doesn't you should really
spend a little more time looking at what is installed on your system).
Similar URL's such as <http://yourwebserver.com/cgi-bin/nph-test-cgi?/*>
will allow users to transverse the filesystem and view the contents of
other directories on your server.
History:
A similar bug was reported in a L0pht advisory (from mudge@l0pht.com) in
April 1996 with another (very similar) cgi script ('test-cgi') and it was
subsequently fixed in by most of the major distributions. See
<URL:http://www.l0pht.com/advisories/test-cgi-vulnerability> for more
information.
Fix:
Type 'chmod 700 nph-test-cgi' at your nearest shell prompt (as superuser).
:-)
If it is neccessary to have the script accessible (I don't know why it
would be though) then a a quick fix is to put quotes around all parameters
to 'echo':
echo QUERY_STRING = $QUERY_STRING
This would become
echo "QUERY_STRING = $QUERY_STRING"
A longer term fix is to disable shell 'globbing' completely. This can be
accomplished by using the '-f' (or 'set -f') parameter if you are using a
bourne derived shell.
Prevention:
Apply the above suggested fixes. Watch your server's access_logs' for any
accesses to "/cgi-bin/nph-test-cgi" by doing a grep for "nph-test-cgi".
Notes:
There are _many_ CGI scripts written (I am guilty of writing them myself)
that do not check the input environment/variables enough. Please check
your quickly-hacked-together-just-to-get-the-job-done shell scripts
carefully. UNIX can be powerful--too powerful for its (our?) own good
sometimes..
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMq8ZR2m9zE6XY0w5AQG0lAQAmhBTOXUTCH+W3gSC8YKE9vszTUNW8n7D
/Pu3AhCpOgq94tmju0q1+u9sKlhQFNnE75b8CrRS5nQBqjS6uQhdcEvmwcuk9oxt
EcBtS5fv00RuBr0iZLXQzJCSSpgLN6z36IUQi4xUy1KTTRgzV6h+JIxN0pc8x5/t
vbHUssSOoOc=
=oWXn
-----END PGP SIGNATURE-----
| Josh Richards -- Network Admin/Tech Support @ ***The FIX Network*** |
| <jrichard@FIX.Net> <jrichard@Freedom.Gen.Ca.Us> <jrichard@Slonet.Org> |
| <http://www.freedom.gen.ca.us/jrichard/> Finger for my PGP Key |
| - '"Anonymity is bad," says a source who wishes to remain anonymous.' - |
