Ä ALT.2600.MODERATED (1:340/26) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ALT.2600.MODERATED Ä
Msg : 35 of 55
From : Jack Burroughs 1:340/13 21 Mar 96 14:07:32
To : All 22 Mar 96 10:13:28
Subj : CIAC Bulletin G-17: Vulnerabilities in Sample HTTPD CGIs
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
.RFC-Path:
news.spydernet.com!nntp.pinc.com!news.bctel.net!imci2!news.internetMCI.com!newsf
eed.internetmci.com!howland.reston.ans.net!ix.netcom.com!ix-dc7-13
From: got@popd.ix.netcom.com (Jack Burroughs)
.RFC-Approved: GOT
.RFC-Message-ID: <4itts0$dfp@cloner2.ix.netcom.com>
.RFC-NNTP-Posting-Host: ix-dc7-13.ix.netcom.com
.RFC-X-NETCOM-Date: Fri Mar 22 2:02:40 AM PST 1996
.RFC-X-Newsreader: News Xpress Version 1.0 Beta #4
---BEGIN PGP SIGNED MESSAGE-----
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Vulnerabilities in Sample HTTPD CGIs
March 12, 1996 21:00 GMT Number G-17
______________________________________________________________________________
PROBLEM: C-language based Common Gateway Interface (CGI) programs
that call a shell to execute other programs.
PLATFORM: Any CGI program built using the sample code distributed with
NCSA HTTPD Version 1.5A-Export and earlier or Apache HTTPD
version 1.0.3 and earlier that allows input from user and
passes that input as arguments to a shell command.
DAMAGE: Unauthorized access to the server host may allow an intruder
to read, modify, or destroy files.
SOLUTION: Check for vulnerability and install the proper patch.
______________________________________________________________________________
VULNERABILITY Knowledge of how to exploit this vulnerability is becoming
ASSESSMENT: widely known. This is not an HTTPD server program
vulnerability.
______________________________________________________________________________
CIAC has obtained information from IBM-ERS pertaining to vulnerabilities
with software distributed with NCSA HTTPD and Apache HTTPD. CIAC recommends
that you install the proper patch and/or follow the solutions describe below.
[ Start of IBM Bulletin ]
======= ============ ====== ======
======= ============== ======= =======
=== === ==== ====== ======
=== =========== ======= =======
=== =========== === ======= ===
=== === ==== === ===== ===
======= ============== ===== === =====
======= ============ ===== = =====
EMERGENCY RESPONSE SERVICE
SECURITY VULNERABILITY ALERT
26 February 1996 14:00 GMT Number: ERS-SVA-E01-1996:002.1
===============================================================================
VULNERABILITY SUMMARY
VULNERABILITY: Some C-language based Common Gateway Interface programs that
call a shell to execute other programs can be tricked into
executing any arbitrary command.
PLATFORMS: Any CGI program built using the sample code distributed with
NCSA HTTPD Version 1.5A-Export and earlier or Apache HTTPD
Version 1.0.3 and earlier that accepts input from the user
and passes that input as arguments to a shell command.
SOLUTION: If using the sample code, apply the patch described below.
If using other code, check for the vulnerability as
described in the following text.
THREAT: Many World Wide Web sites have been built using the programs
in question. Therefore, the potential security exposure may
be widespread.
===============================================================================
NOTE
The vulnerability described in this alert is contained in ancillary, example
software distributed with NCSA HTTPD and Apache HTTPD.
THIS IS NOT AN HTTPD SERVER PROGRAM VULNERABILITY.
Commercial HTTPD server products developed and sold by IBM do not include
this sample code on their distribution media. Commercial HTTPD server
products developed by Netscape Communications Corporation and sold by
Netscape and IBM do not include this sample code on their distribution media.
If you have purchased one of these products and have not installed any
programs other than those on the distribution media, you are not vulnerable
to this problem. Note, however, that if you previously had NCSA HTTPD or
Apache HTTPD installed, you may have remnants of the installation left over
which may be vulnerable.
If you have purchased another commercial HTTPD server product, you may wish
to contact your vendor to see if any action is necessary.
===============================================================================
DETAILED INFORMATION
I. Description
A. Background Information
The Common Gateway Interface (CGI) specifies a protocol by which a World
Wide Web server can interface with external programs run on the server
host. These external programs perform tasks on behalf of the user such
as sending mail, accessing databases, and so forth. Many of these
programs accept input from the user via an interactive form containing
dialog boxes, menus, buttons, etc. Upon completion of the task, the
programs may return the results of the operation to the user, usually in
the form of a Hypertext Markup Language (HTML) document. Programs which
implement the Common Gateway Interface are usually called "CGI scripts,"
although they are also referred to as "CGI-BIN programs," after the name
of the directory in which they are commonly stored on UNIX systems.
CGI programs, because they often accept input from the user and then
pass that input to other programs as command-line arguments, must be
written with great care. Because the languages used to implement these
programs (Perl, Bourne shell, Korn shell, C shell, etc.) attribute
special meaning to a large variety of characters ('>', ';', '&', '$',
etc.), the program must check its input and remove these characters
before passing them on to other commands. If this is not done, or is
done incorrectly, an attacker can provide "bogus" input to these
programs that causes them to behave in unexpected ways, often resulting
in allowing the attacker to gain unauthorized access to the server
host, or to execute unauthorized commands on the host.
Because these problems are so difficult to avoid when using these
powerful scripting languages, many experts now recommend that CGI
programs be written in the C programming language instead. Because C
does not attempt to evaluate character strings, a program written in C
is less vulnerable to this type of attack. However, if a CGI program
written in C uses the input it receives to execute another command
using the system() or popen() library functions, the benefits of using
C are negated, and the program must once again carefully check its
inputs before passing them as command line arguments to other programs.
B. Vulnerability Details
NCSA HTTPD and Apache HTTPD, two of the most popular freely-available
World Wide Web server implementations, come with several CGI programs
that are compiled by the default build procedure. These programs,
because they are meant to serve as examples, are frequently installed
at a site even if they are not being used. Furthermore, because the
source code for these programs is meant to be an example of how to
implement CGI programs, it is frequently copied into other CGI programs
programs as well.
One of the utility functions offered by the CGI example source code is
called escape_shell_cmd(). It is intended to help programmers avoid the
vulnerability described above. This function, when given an input
string received from the user, scans the string for characters that have
special meaning to the UNIX shell, and inserts escapes in front of these
characters to remove their special meaning. However, the list of
special characters used by escape_shell_cmd():
&;`'"|*?~<>^()[]{}$\
is incomplete: it is missing the newline ('\n', octal 012, hex 0x0a)
character.
The CGI example source code also includes a program called "phf," which
implements a form-based interface to a local CCSO Name Server. (The
CCSO Name Server is a white pages service used for looking up name and
address information about people.) The "phf" demonstration program
uses the escape_shell_cmd() function to check its inputs, and is thus
vulnerable to attack as described above.
Any World Wide Web server host that has been configured to allow access
to and execution of Common Gateway Interface programs and
1. Has installed the "phf" program from the NCSA HTTPD distribution or
the Apache HTTPD distribution in a CGI-BIN directory (even if the
program is not being used)
and/or
2. Has installed programs obtained from the Internet or elsewhere that
are using the escape_shell_cmd() function contained in the sample
CGI-BIN source code distributed with NCSA HTTPD or Apache HTTPD
and/or
3. Has installed programs developed internally using the
escape_shell_cmd() function contained in the sample CGI-BIN source
code distributed with NCSA HTTPD or Apache HTTPD
and/or
4. Has installed CGI programs that do not adequately check their
inputs for the special characters listed above (including newline)
before passing these inputs to a shell command
is vulnerable to attack in this manner.
II. Impact
An attacker who knows how to exercise this vulnerability may have the
ability to:
1. Execute arbitrary commands on the server host using the same user-id as
the user running the "httpd" server. If "httpd" is being run as
"root," the attacker's commands are also run as "root."
2. Access any file on the system that is accessible to the user-id that is
running the "httpd" server. If the "httpd" server user-id has read
access to the file, the attacker can also read the file. If the
"httpd" server user-id has write access to the file, the attacker can
change or destroy the contents of the file. If the "httpd" server is
being run as "root," the attacker can read, modify, or destroy any file
on the server host.
3. Given an X11-based terminal emulator ("xterm" or equivalent) installed
on the "httpd" server host, gain full interactive access to the server
host just as if he were logging in locally.
III. Solutions
A. Suggested actions
The IBM Emergency Response Service (IBM-ERS) team recommends that you
consider taking the following actions (subject to any licensing
restrictions that may apply to your copies of the programs):
1. If you have installed the "phf" program from the NCSA or Apache
HTTPD binary or source distributions and are not using it, remove
it.
2. If you have installed the "phf" program from the NCSA or Apache
HTTPD source distributions and are using it, apply one of the
patches below, rebuild the "phf" program, and install the new
version.
3. If you have installed the "phf" program from the NCSA or Apache
HTTPD binary distributions and are using it, obtain the NCSA or
Apache source distributions:
NCSA:
ftp://ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/httpd_1.5/
httpd_1.5a-export_source.tar.Z
Apache:
ftp://ftp.apache.org/apache/dist/apache_1.0.3.tar.gz
Then apply one of the patches below, rebuild the "phf" program, and
install the new version.
4. If you have installed other C-language CGI programs obtained from
the Internet or elsewhere and have the source code for these
programs, examine them closely and make sure that they are
properly checking their inputs before passing them to a shell.
If these programs are using the escape_shell_cmd() function from
the NCSA or Apache distributions, the patches below can be adapted
to these programs.
Once you have identified any problem areas and developed fixes for
them, rebuild the programs and install the new versions.
5. If you have developed your own C-language CGI programs using the
sample code contained in the NCSA or Apache distributions, adapt
the patches below to your code, rebuild these programs, and
install the new versions.
6. If you have purchased CGI programs from third-party vendors,
contact your vendor to determine whether or not these programs
contain this vulnerability.
7. If you are running your "httpd" server as "root," consider running
it as an unprivileged user instead.
B. Patch for escape_shell_cmd()
The escape_shell_cmd() function is contained in the "util.c" file in the
"cgi-src" directory of the NCSA HTTPD and Apache HTTPD source
distributions.
The patch below can be applied to the NCSA version of "util.c" to fix
this vulnerability:
- - ---------------------------------- cut here
----------------------------------
*** httpd_1.5a-export/cgi-src/util.c.old Tue Nov 14 11:38:40 1995
- - --- httpd_1.5a-export/cgi-src/util.c Thu Feb 22 20:37:07 1996
***************
*** 139,145 ****
l=strlen(cmd);
for(x=0;cmd[x];x++) {
! if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){
for(y=l+1;y>x;y--)
cmd[y] = cmd[y-1];
l++; /* length has been increased */
- - --- 139,145 ----
l=strlen(cmd);
for(x=0;cmd[x];x++) {
! if(ind("&;`'\"|*?~<>^()[]{}$\\\n",cmd[x]) != -1){
for(y=l+1;y>x;y--)
cmd[y] = cmd[y-1];
l++; /* length has been increased */
- - ---------------------------------- cut here
----------------------------------
The patch below can be applied to the Apache version of "util.c" to fix
this vulnerability:
- - ---------------------------------- cut here
----------------------------------
*** apache_1.0.3/cgi-src/util.c.old Sat Feb 17 03:32:14 1996
- - --- apache_1.0.3/cgi-src/util.c Fri Feb 23 10:48:43 1996
***************
*** 135,141 ****
l=strlen(cmd);
for(x=0;cmd[x];x++) {
! if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){
for(y=l+1;y>x;y--)
cmd[y] = cmd[y-1];
l++; /* length has been increased */
- - --- 135,141 ----
l=strlen(cmd);
for(x=0;cmd[x];x++) {
! if(ind("&;`'\"|*?~<>^()[]{}$\\\n",cmd[x]) != -1){
for(y=l+1;y>x;y--)
cmd[y] = cmd[y-1];
l++; /* length has been increased */
- - ---------------------------------- cut here
----------------------------------
To apply the patch, save the text between the two "-- cut here --" lines
in a file, change directories to your source tree (the directory that
contains "httpd_1.5a-export" or "apache_1.0.3" as a subdirectory) and
issue the command:
patch < filename
If you do not have the "patch" program, you can obtain it from
ftp://prep.ai.mit.edu/pub/gnu/patch-2.1.tar.gz
or you can apply the patch by hand.
This fix is provied "AS IS" without warranty of any kind, including,
without limitation, any implied warranties of merchantibility or
fitness for a particular purpose. This advisory does not create or
imply any support obligations or any other liability on the part of
IBM or its subsidiaries.
C. Pending fix from NCSA
NCSA states that they have fixed this problem in HTTPD Version 1.5.1,
which is currently in the beta-testing stage. You can obtain NCSA
HTTPD 1.5.1 Beta 3 from
http://hoohoo.ncsa.uiuc.edu/beta-1.5/
if you wish to experiment with it. However, NCSA warns that this is
NOT a stable version of the server.
D. Pending fix from Apache
The Apache Project is aware of this problem, and states that they plan
to provide a fix for it in Apache HTTPD Version 1.1, which is scheduled
for release in early March. For more information about the pending
release of Apache HTTPD Version 1.1, see the Apache Project home page at
http://www.apache.org/
E. A second potential vulnerability
When examining your CGI programs that make use of the escape_shell_cmd()
function, note that escape_shell_cmd() does not perform any check on the
length of the buffer it is passed. Because each character in the buffer
has the potential to be escaped with a backslash, the resulting string
can be up to twice as long as the original.
Any buffer that is passed into this function should be at least (2n+1)
bytes in size, where n is the length of the unescaped string.
Programs that do not adhere to this requirement are vulnerable to buffer
overrun attacks, much like those used successfully by the Internet worm
against the finger daemon, as well as in several more recent attacks
against other programs.
F. Additional information
If you have enabled the Common Gateway Interface in your server, even if
you are not yet actively using it, IBM-ERS recommends that you learn as
much as possible about the security issues involved. We have provided
URLs for some good sources of information on this topic below:
CGI Security
------------
http://hoohoo.ncsa.uiuc.edu/cgi/security.html
http://www.cerf.net/~paulp/cgi-security/
WWW Security (Including CGI)
----------------------------
http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html
Please note that the URLs referenced in this advisory are not under IBM's
control and therefore IBM cannot be responsible for their availability or
content. If you have any questions regarding any of these sites, please
contact that site's administrator or webmaster.
IV. Acknowledgements
IBM-ERS would like to thank the IBM Global I/T Security Consulting Group and
the IBM Global Security Analysis Laboratory at the IBM T. J. Watson Research
Center, for bringing this exposure to our attention, providing the patches
for it, and their assistance in the development of this alert.
[ End of IBM Bulletin ]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of IBM Emergency Response
Service for the information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy (DOE) and the
National Institute of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding member of
FIRST, the Forum of Incident Response and Security Teams, a global organization
established to foster cooperation and coordination among computer security
teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be
contacted at:
Voice: +1 510-422-8193
FAX: +1 510-423-8002
STU-III: +1 510-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH
may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the
CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243
(800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the
primary PIN number, 8550070, is for the CIAC duty person, and the secondary
PIN number, 8550074 is for the CIAC Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://ciac.llnl.gov/
Anonymous FTP: ciac.llnl.gov (128.115.19.53)
Modem access: +1 (510) 423-4753 (28.8K baud)
+1 (510) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical information
and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
SPI products.
Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send the following request as the
E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or
SPI-NOTES for list-name and valid information for LastName FirstName and
PhoneNumber when sending
E-mail to ciac-listproc@llnl.gov:
subscribe list-name LastName, FirstName PhoneNumber
e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36
You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or
get help.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these communities,
please contact your agency's response team to report incidents. Your agency's
team will coordinate with CIAC. The Forum of Incident Response and Security
Teams (FIRST) is a world-wide organization. A list of FIRST member
organizations and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containingt
the line: send first-contacts.
This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
express or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, apparatus, product,
or process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark, manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation or favoring by
the United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government or the University of California, and shall not
be used for advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
(G-7) SGI Object Server Vulnerability
(G-8) splitvt(1) Vulnerability
(G-9b) Unix sendmail Vulnerability
(G-10a) Winword Macro Viruses
(G-11) HP Syslog Vulnerability
(G-12) SGI ATT Packaging Utility Security Vulnerability
(G-13) Kerberos Version 4 Key Server Vulnerability
(G-14) Domain Name Service Vulnerabilities
(G-15) Sunsoft Demo CD Vulnerability
(G-16) SGI rpc.statd Program Security Vulnerabilities
RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)
Notes 07 - 3/29/95 A comprehensive review of SATAN
Notes 08 - 4/4/95 A Courtney update
Notes 09 - 4/24/95 More on the "Good Times" virus urban legend
Notes 10 - 6/16/95 PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
in S/Key, EBOLA Virus Hoax, and Caibua Virus
Notes 11 - 7/31/95 Virus Update, Hats Off to Administrators,
America On-Line Virus Scare, SPI 3.2.2 Released,
The Die_Hard Virus
Notes 12 - 9/12/95 Securely configuring Public Telnet Services, X Windows,
beta release of Merlin, Microsoft Word Macro Viruses,
Allegations of Inappropriate Data Collection in Win95
-----BEGIN PGP SIGNATURE-----
Version: 2.6.1
Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface
iQCVAwUBMUXhb7nzJzdsy3QZAQFrvAQAutaWz1VhajATJywqK5zLysKF5O2fgsSX
EV7GtgDYv0SIyq1PMXc6oeMsZbDEMIsC6PmMtcrhuG6I78BOi7SlvtixuIyHB26L
Y7dsUhvL0PYQ1yTk3pyMi460qg+uX/9mXy/1N3rO50IA/O6+O97/bcaGoGQW5d7v
Tfn+s0hSoDs=
=vi8O
-----END PGP SIGNATURE-----
Frank R. Swift
Computer Security
Lawrence Livermore National Laboratory
Voice (510) 422-1463 Fax (510) 423-0913
uncl@llnl.gov
PGP Key fingerprint = 1A 14 02 5A 76 B2 BD 47 C0 3E ED 9A C5 3B 81 2D
--- ifmail v.2.8.lwz
* Origin: MDE (1:340/13@fidonet)
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
