Vulnerability

    SCOhelp http server

Affected

    Unixware

Description

    Following  is  based  on  a  Core-SDI  Advisory  CORE-092700.  SCO
    Unixware 7 default installation  includes scohelp, an http  server
    that listens  on port  457/tcp and  allows access  to manual pages
    and other documentation files.  The search CGI script provided for
    that  purpose  has  a  vulnerability  that  could allow any remote
    attacker to execute arbitrary code on the vulnerable machine  with
    privileges of  user "nobody".   This vulnerability  was discovered
    by Juliano Rizzo of CORE SDI.

    This poses a threat that could result in the remote compromise  of
    the vulnerable  host and  provide a  staging point  from where  an
    attacker could escalate privileges.

    There  is  a  user  supplied  format  string bug in the vtopic CGI
    script that could be abused to execute arbitrary code.  By sending
    a request with the following URI:

        http://target:457/search97cgi/vtopic?Action=FilterSearch&filter=&queryText=%25x

    The server will elicit the following response:

        Internal error: STR_sprintf: Invalid format (Error E1-0142 (Query
        Builder): Invalid character '%' (0x25))

        Result
        Search failed: -40

        Result
        Error E1-0142 (Query Builder): Invalid character '

        Result
        Error E1-0130 (Query Builder): Syntax error in query string near
        character 1

        Result
        Error E1-0133 (Query Builder): Error parsing query: 81888e0

        Result
        VdkSearchNew failed, error -40

        Result
        Request failed for REQUEST_METHOD=, QUERY_STRING=

        Component
        Component (vsearch) failed in processing request, -2

        Action
        Action (FilterSearch) failed while processing request in component
        (vsearch), -2

        Service Manager
        Action (FilterSearch) failed in processing request, -2
        S97IS Service manager failed to process request

    Note the line:

        Error E1-0133 (Query Builder): Error parsing query: 81888e0

    This shows that the server is interpreting the %x argument  passed
    in the URI as the "queryText" value.  Supplying a carefully  built
    value  for  the  queryText  argument  an  attacker  can change the
    program flow and execute arbitrary code.

Solution

    Contact the  vendor for  a fix.   In the  meantime, disabling  the
    http  server  on  port  457/tcp  will  prevent exploitation of the
    vulnerability.   However,  this  will  also  make  access  to  the
    documentation unavailable.  The following is a workaround supplied
    by the vendor:

        1) Log into the system as root
        2) cd /usr/ns-home/httpd-scohelphttp/search97
        3) mkdir ./securebin
        4) mv ./bin/vtopic ./securebin
        5) Using your favourite editor create a new version of  vtopic
           in     the      /usr/ns-home/httpd-scohelphttp/search97/bin
           directory containing the following:
        --------------------------------------------------------------------
        #!/bin/sh
        VERITYBIN=/usr/ns-home/httpd-scohelphttp/search97/bin
        SECUREBIN=/usr/ns-home/httpd-scohelphttp/search97/securebin
        configPath=$VERITYBIN/inetsrch.ini
        export configPath

        # If POST method, convert to QUERY_STRING
        if [ -z "$QUERY_STRING" ]
        then
                POST=1
                eval `$VERITYBIN/cgiparse -init`
        else
                POST=0
        fi

        # Exit if not set
        if [ -z "$QUERY_STRING" ]
        then
                exit 1
        fi

        # Now strip out insecure character %25
        QUERY_STRING=`echo "$QUERY_STRING" | sed "s/%25/+/g"`

        # First check for multiple ViewTemplate fields
        # which could fool vtopic
        COUNT=`$VERITYBIN/cgiparse -count -value ViewTemplate 2> /dev/null`
        if [ "$COUNT" -gt 1 ]
        then
                exit 1
        fi

        # First check for multiple ResultTemplate fields
        # which could fool vtopic
        COUNT=`$VERITYBIN/cgiparse -count -value ResultTemplate 2> /dev/null`
        if [ "$COUNT" -gt 1 ]
        then
                exit 1
        fi

        # Now check for correct path in ViewTemplate if it has one
        if echo "$QUERY_STRING" | egrep -i '&ViewTemplate=' > /dev/null 2>&1
        then
                MATCH=`cgiparse -value ViewTemplate 2> /dev/null | egrep -i
        '[-A-Za-z0-9_.]+/_SearchTemplates/docview.hts'`
                if [ -z "$MATCH" ]
                then
                        exit 1
                fi
        fi

        # Now check for correct path in ResultTemplate if it has one
        if echo "$QUERY_STRING" | egrep -i '&ResultTemplate=' > /dev/null 2>&1
        then
                MATCH=`cgiparse -value ResultTemplate 2> /dev/null | egrep -i
        '[-A-Za-z0-9_.]+/_SearchTemplates/result.hts'`
                if [ -z "$MATCH" ]
                then
                        exit 1
                fi
        fi

        # OK, so proceed
        if [ "$POST" -eq 1 ]
        then
                export CONTENT_LENGTH
                echo "$QUERY_STRING" | $SECUREBIN/vtopic
        else
                export QUERY_STRING
                $SECUREBIN/vtopic
        fi
        --------------------------------------------------------------------
        6) chmod +x vtopic

    This script  acts as  a wrapper  to the  vtopic binary  and blocks
    queries that can:

        1) Allow  a remote  user to  request to  view a world readable
           file like /etc/passwd
        2) Cause  a failure  like the  one described  in your email to
           SCO.