COMMAND

	Default Windows Apache server gives local command exec via .bat file

SYSTEMS AFFECTED

	 Tested on: 

	           - Apache 1.3.23

		   - Apache 2.0.28-BETA (By default includes /cgi-bin/test-cgi.bat

	             file which enables this attack)

	

PROBLEM

	In Ory Segal, Sanctum inc. [http://www.sanctuminc.com] advisory :
	

	When a request for a DOS batch file (.bat or .cmd) is sent to an  Apache
	web server, the server  will  spawn  a  shell  interpreter  (cmd.exe  by
	default) and will run the script with the parameters sent to it  by  the
	user. Because no proper validation is done on the input, it is  possible
	to send a pipe  character  (\'|\')  with  commands  appended  to  it  as
	parameters to the CGI script, and the  shell  interpreter  will  execute
	them.
	

	The Apache  2.0.x  installation  is  shipped  with  the  default  script
	/cgi-bin/test-cgi.bat which can be exploited, but  it  should  be  noted
	that ANY \'.bat\' or \'.cmd\' script will  allow  exploitation  of  this
	vulnerability.
	

	 Example :

	 =======

	

	1) http://TARGET/cgi-bin/test-cgi.bat?|copy+..\\conf\\httpd.conf+..\\htdocs\\httpd.conf

	

	This request will  copy  the  httpd.conf  file  residing  in  the  /conf
	directory of the Apache installation, into the virtual  web  root  where
	it can be viewed by any user.
	

	2) http://TARGET/cgi-bin/test-cgi.bat?|echo+Foobar+>>+..\\htdocs\\index.html

	

	This will append the string \"Foobar\" to the index.html  file  residing
	in the virtual web root directory.
	

	3) http://TARGET/cgi-bin/test-cgi.bat?|dir+c:+>..\\htdocs\\dir.txt

	

	This will create a file containing  the  directory  listing  of  the  C:
	drive, and will put the file in the virtual web  root,  where  any  user
	can read it.
	

	

	** Notes: 

	

	1)  Url-Decoding  is  not  provided  by  Apache  except  for  the  \'+\'
	character which is substituted by a space character.
	

	2) Spilling the output into the STDOUT would most  likely  cause  Apache
	to write an error message since it expects the STDOUT of  a  CGI  script
	to have an HTTP response format (potential HTTP headers  followed  by  a
	mandatory blank line followed by a response body).  Therefore  in  order
	to view the result of a command, it is  recommended  that  you  redirect
	the output to a file under the web server\'s virtual root.

SOLUTION

	Upgrade your Apache web server to: 1.3.24  (which  should  be  available
	later today), or 2.0.34-beta (which will be published soon).
	

	Downloads are located at:
	

	http://www.apache.org/dist/httpd/