TUCoPS :: Web :: Apache :: web5202.htm

Default Windows Apache server gives local command exec via .bat file
22th Mar 2002 [SBWID-5202]

	Default Windows Apache server gives local command exec via .bat file


	 Tested on: 

	           - Apache 1.3.23

		   - Apache 2.0.28-BETA (By default includes /cgi-bin/test-cgi.bat

	             file which enables this attack)



	In Ory Segal, Sanctum inc. [http://www.sanctuminc.com] advisory :

	When a request for a DOS batch file (.bat or .cmd) is sent to an  Apache
	web server, the server  will  spawn  a  shell  interpreter  (cmd.exe  by
	default) and will run the script with the parameters sent to it  by  the
	user. Because no proper validation is done on the input, it is  possible
	to send a pipe  character  (\'|\')  with  commands  appended  to  it  as
	parameters to the CGI script, and the  shell  interpreter  will  execute

	The Apache  2.0.x  installation  is  shipped  with  the  default  script
	/cgi-bin/test-cgi.bat which can be exploited, but  it  should  be  noted
	that ANY \'.bat\' or \'.cmd\' script will  allow  exploitation  of  this

	 Example :



	1) http://TARGET/cgi-bin/test-cgi.bat?|copy+..\\conf\\httpd.conf+..\\htdocs\\httpd.conf


	This request will  copy  the  httpd.conf  file  residing  in  the  /conf
	directory of the Apache installation, into the virtual  web  root  where
	it can be viewed by any user.

	2) http://TARGET/cgi-bin/test-cgi.bat?|echo+Foobar+>>+..\\htdocs\\index.html


	This will append the string \"Foobar\" to the index.html  file  residing
	in the virtual web root directory.

	3) http://TARGET/cgi-bin/test-cgi.bat?|dir+c:+>..\\htdocs\\dir.txt


	This will create a file containing  the  directory  listing  of  the  C:
	drive, and will put the file in the virtual web  root,  where  any  user
	can read it.


	** Notes: 


	1)  Url-Decoding  is  not  provided  by  Apache  except  for  the  \'+\'
	character which is substituted by a space character.

	2) Spilling the output into the STDOUT would most  likely  cause  Apache
	to write an error message since it expects the STDOUT of  a  CGI  script
	to have an HTTP response format (potential HTTP headers  followed  by  a
	mandatory blank line followed by a response body).  Therefore  in  order
	to view the result of a command, it is  recommended  that  you  redirect
	the output to a file under the web server\'s virtual root.


	Upgrade your Apache web server to: 1.3.24  (which  should  be  available
	later today), or 2.0.34-beta (which will be published soon).

	Downloads are located at:



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH