[29854] in bugtraq
RE: Format strings vuln in CGIwrap
daemon@ATHENA.MIT.EDU (Neulinger, Nathan)
Wed Apr 23 13:10:59 2003
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Date: Wed, 23 Apr 2003 11:59:15 -0500
Message-ID: <B578DAA4FD40684793C953B491D4879174D279@umr-mail7.umr.edu>
From: "Neulinger, Nathan" <nneul@umr.edu>
To: "b0f www.b0f.net" <b0fnet@yahoo.com>, <bugtraq@securityfocus.com>
Content-Transfer-Encoding: 8bit
This is not a security problem. This is a case of using an automated
tool to find these vulnerabilites and not attempting to understand the
code itself.
Nowhere in the code is MSG_Error_General() passed anything other than a
static compiled-into-the-executable string. It's purely a utility
function to wrap common error text/footer/etc. around a generic string.
-- Nathan
------------------------------------------------------------
Nathan Neulinger EMail: nneul@umr.edu
University of Missouri - Rolla Phone: (573) 341-4841
Computing Services Fax: (573) 341-4216
> -----Original Message-----
> From: security-bounces+nneul=umr.edu@lists.umr.edu
> [mailto:security-bounces+nneul=umr.edu@lists.umr.edu] On
> Behalf Of b0f www.b0f.net
> Sent: Wednesday, April 23, 2003 11:06 AM
> To: bugtraq@securityfocus.com
> Subject: Format strings vuln in CGIwrap
>
>
>
>
> A locally and possibly remotely exploitable format
> strings bug exists
> in cgiwrap available from
> http://cgiwrap.sourceforge.net/
> http://sourceforge.net/projects/cgiwrap
> http://www.freebsd.org/ports/security.html
>
> I. BACKGROUND
>
> This is CGIWrap - a gateway that allows more secure
> user access to
> CGI programs on an HTTPd server than is provided by the
> http server
> itself. The primary function of CGIWrap is to make
> certain that
> any CGI script runs with the permissions of the user
> who installed
> it, and not those of the server.
>
> CGIWrap works with NCSA httpd, Apache, CERN httpd,
> NetSite Commerce
> and Communications servers, and probably any other Unix
> based web
> server software that supports CGI.
>
> II. DESCRIPTION
>
> On line 91 of msgs.c the printf() function is used
> incorrectly. Which
> results
> in a format strings vulnerability.
> <snip>
> void MSG_Error_General(char *message)
> {
> MSG_Header("CGIWrap Error", message);
> printf(message);
> MSG_Footer();
> exit(1);
> }
> </snip>
>
> The binaries in cgiwrap, (cgiwrap and nph-cgiwrap) are
> installed setuid
> root.
> Thus could make this format problem exploitable locally
> to gain root
> privs or
> possably remotely to gain root or the privs of the user
> who owns the cgi
> script.
>
> III. ANALYSIS
> An attacker could exploit this issue to escalate privs
> locally or
> remotely on
> a server running cgiwrap.
>
> IV. DETECTION
>
> This is vulnerable in the latest version of cgiwrap
> version 3.7.1 and
> properly
> older versions(not checked). It would be exploitable on
> any Linux/Unix
> based OS
> running cgiwrap
>
> V. VENDOR
> The vendor has not been contacted about this issue.
>
> Regards
> b0f (Alan M)
> www.b0f.net
> _______________________________________________
> UMR Security List Exploder
> security@lists.umr.edu
> https://lists.umr.edu/mailman/listinfo/security
>
