IRIX handler cgi hole

Summary
Description:another prog that uses a perl open() with untrusted filenames, allowing the pipe symbol to be used to create a pipe instead. I think this is a serious problem with perl which should be fixed (perl is supposed to make programming securely EASIER than C does.)
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:Run arbitrary commands as the owner of the httpd process
Vulnerable Systems:IRIX 6.2, the later versions try to fix this, but without success (see the other handler entry). It also works on 5.3
Date:15 June 1997
Details


Date: Sun, 15 Jun 1997 00:49:50 +0300
From: Razvan Dragomirescu <drazvan@kappa.ro>
To: BUGTRAQ@NETSPACE.ORG
Subject: Bug in SGI's /cgi-bin/handler

Hi,

A few weeks ago Yuri posted a message on a security bug in "wrap", a
cgi-bin found on most unprotected IRIX systems. As I explored it, I found
that /cgi-bin/handler is exploitable too.
It is a small perl program that allows (in theory) to read and download
files under the system's root directory.
In fact it allows you to execute any command remotely on the target
machine.
Here's how it works.
"handler" reads PATH_INFO from the environment and then concatenates it
with a default "root directory" (let's say /var/www/htdocs). It then runs
a "validity check" on the result. But it only checks for ".." not for
other potential offensive special chars.
It then uses "open (INPUT, $doc)" where $doc is the result of the
concatenation.
If you're familiar with PERL you know that if a '|' character follows the
filename, perl will treat that filename as a command. It runs it and gives
you STDOUT.
The way to exploit this "feature" for cgi-bin/handler is:

telnet target.machine.com 80
GET /cgi-bin/handler/useless_shit;cat   /etc/passwd|?data=Download
HTTP/1.0

Note that you have to use a TAB character after cat, not a space because
the shell will accept it as a separator and it won't confuse the HTTP
server. You can't use the %xx format (%20) because the script doesn't do
any parsing (So you will not be able to give command that contain spaces).

Of course, you can use any other command instead of "cat" but remember NOT
to use spaces, just tabs.

The server will display an error saying that it couldn't open
"useless_shit" but it will continue anyway and execute your command.

I tested it on two Indy machines with IRIX 6.2. I would appreciate any
feedback from you.

And also, I think this kind of approach makes cgi-bin's written in perl
more vulnerable. That is any script that does not strip special
characters (not only dots, but also | and ; ) and uses "open" commands on
files read from user input can be attacked. Most of the cgi-bin's I've
seen do only a rudimentary check for "double-dots" and then declare the
URL "sane".
If you find any other programs vulnerable to this kind of attack please
contact me (or even better, post them on BUGTRAQ).

Be good.
Razvan

-------------------------------------------------------------------------------
Razvan Dragomirescu
Organization: KappaNet & Government of Romania - Public Information Dept.
E-Mail: drazvan@kappa.ro, drazvan@romania.ro
Alternate E-mail: drazvan@iname.com, drazvan@guv.ro, drazvan@pub.ro, drazvan@lbi.ro
Phone: +40-1-6866621
NIC-HANDLE: RD1604
RIPE-HANDLE: RD38-RIPE

"Smile, tomorrow will be worse" (Murphy)
-------------------------------------------------------------------------------

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault