TUCoPS :: SGI :: ciach053.txt

Irix Vulnerability In Webdist CGI



                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___

                             INFORMATION BULLETIN

                          Vulnerability in webdist.cgi

May 6, 1997 22:00 GMT                                              Number H-53
PROBLEM:       A vulnernability exists in the webdist.cgi cgi-bin program.
PLATFORM:      IRIX 5.x and 6.x running Mindshare Out Box package.
DAMAGE:        Both local and remote users may be able to execute arbitrary
               commands with the privileges of the httpd daemon.
SOLUTION:      Until patches are available, take the steps outlined in Section
               III as soon as possible. If the package is not required, it is
               recommended that sites remove it from their systems.
VULNERABILITY  Exploit details involving this vulnerability have been made
ASSESSMENT:    publicly available.

[******  Start AUSCERT Advisory ******]

AA-97.14                        AUSCERT Advisory
                        SGI IRIX webdist.cgi Vulnerability
                                   7 May 1997

Last Revised: --

- ----------------------------------------------------------------------------

AUSCERT has received information of a security vulnerability in the
webdist.cgi cgi-bin program, part of the IRIX Mindshare Out Box package,
available with IRIX 5.x and 6.x. By exploiting this vulnerability, both
local and remote users may be able to execute arbitrary commands with the
privileges of the httpd daemon. This may be used to compromise the http
server and under certain configurations gain privileged access.

Currently there are no official vendor patches available which address
the vulnerability described in this advisory. We recommend that sites
prevent the exploitation of this vulnerability by immediately applying
the workaround given in Section 3.1. If the package is not required, we
recommend removing it from their systems.

When official vendor patches are made available, they should be applied
as soon as possible.

We will update this advisory as we receive additional information.  Please
check our advisory files regularly for updates that relate to your site.

Note: Development of this advisory was a joint effort of the CERT
      Coordination Center and AUSCERT. This material was also released as
      CERT Advisory CA-97.12.

- - ---------------------------------------------------------------------------

1.  Description

    A security vulnerability has been reported in the webdist.cgi cgi-bin
    program available with IRIX 5.x and 6.x. webdist.cgi is part of the
    IRIX Mindshare Out Box software package, which allows users to install
    software over a network via a World Wide Web interface.

    webdist.cgi allows webdist(1) to be used via an HTML form interface
    defined in the file webdist.html, which is installed in the default
    document root directories for both the Netsite and Out Box servers.

    Due to insufficient checking of the arguments passed to webdist.cgi,
    it may be possible to execute arbitrary commands with the privileges
    of the httpd daemon. This is done via the webdist program.

    When installed, webdist.cgi is accessible by anyone who can connect to
    the httpd daemon. Because of this, the vulnerability may be exploited by
    remote users as well as local users. Even if a site's webserver is
    behind a firewall, it may still be vulnerable.

    Determining if your site is vulnerable
    All sites are encouraged to check their systems for the IRIX Mindshare
    Out Box software package, and in particular the Webdist Software
    package which is a subsystem of the Mindshare Out Box software package.
    To determine if this package is installed, use the command:

        # versions outbox.sw.webdist

     I = Installed, R = Removed

     Name                   Date        Description

     I outbox               11/06/96    Outbox Environment, 1.2
     I outbox.sw            11/06/96    Outbox End-User Software, 1.2
     I outbox.sw.webdist    11/06/96    Web Software Distribution Tools, 1.2

2.  Impact

    Local and remote users may be able to execute arbitrary commands on
    the HTTP server with the privileges of the httpd daemon. This may be
    used to compromise the http server and, under certain configurations,
    gain privileged access.

3.  Workarounds/Solution

    Silicon Graphics Inc. has informed AUSCERT that they are aware of
    the vulnerability described in this advisory and are currently
    investigating the problem.

    There are no official vendor patches available at this time which
    address this vulnerability.  We recommend that sites prevent the
    exploitation of this vulnerability by immediately applying the
    workaround given in Section 3.1, or removing the package from their
    systems (Section 3.2).

    When vendor patches are made available, we recommend that sites apply
    them as soon as possible.

3.1 Remove execute permissions

    Sites should immediately remove the execute permissions on the
    webdist.cgi program to prevent its exploitation. By default,
    webdist.cgi is found in /var/www/cgi-bin/, but sites should check all
    cgi-bin directories for this program.

      # ls -l /var/www/cgi-bin/webdist.cgi
      -rwxr-xr-x  1 root  sys  4438 Nov  6 12:44 /var/www/cgi-bin/webdist.cgi

      # chmod 400 /var/www/cgi-bin/webdist.cgi

      # ls -l /var/www/cgi-bin/webdist.cgi
      -r--------  1 root  sys  4438 Nov  6 12:44 /var/www/cgi-bin/webdist.cgi

    Note that this will prevent all users from using the webdist program
    from the HTML form interface.

3.2 Remove outbox.sw.webdist subsystem

    If the Webdist software is not required, we recommend that sites remove
    it completely from their systems. This can be done with the command:

        # versions remove outbox.sw.webdist

    Sites can check that the package has been removed with the command:

        # versions outbox.sw.webdist

4.  Additional Measures

    Sites should consider taking this opportunity to examine their entire
    httpd configuration. In particular, all CGI programs that are not
    required should be removed, and all those remaining should be examined
    for possible security vulnerabilities.

    It is also important to ensure that all child processes of httpd are
    running as a non-privileged user. This is often a configurable option.
    See the documentation for your httpd distribution for more details.

    Numerous resources relating to WWW security are available. The
    following pages may provide a useful starting point. They include
    links describing general WWW security, secure httpd setup, and secure
    CGI programming.

        The World Wide Web Security FAQ:


        NSCA's "Security Concerns on the Web" Page:

    The following book contains useful information including sections on
    secure programming techniques.

        _Practical Unix & Internet Security_, Simson Garfinkel and
        Gene Spafford, 2nd edition, O'Reilly and Associates, 1996.

    Please note that the CERT/CC and AUSCERT do not endorse the URLs that
    appear above. If you have any problems with these sites, please contact
    the site administrator.

- ------------------------------------------------------------------------------
This advisory is a collaborative effort between AUSCERT and the CERT
Coordination Center. This material was also released as CERT Advisory

 [******  End AUSCERT Advisory ******]


CIAC wishes to acknowledge the contributions of AUSCERT, CERT, Yuri Volobuev,
Martin Nicholls (The University of Queensland) & Ian Farquhar of Silicon
Graphics, Inc. for the information contained in this bulletin.


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, ciac-notes, spi-announce OR spi-notes for list-name:

E-mail to       ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
        subscribe list-name
  e.g., subscribe ciac-notes

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

H-45: Windows NT SAM  permission Vulnerability
H-46: Vulnerability in IMAP and POP
H-47A: AOL4FREE.COM Trojan Horse Program Destroys Hard Drives
H-48: Internet Information Server Vulnerability
H-49: NLS Buffer Overflow Vulnerability
H-22a: talkd Buffer Overrun Vulnerability
H-29a: HP-UX sendmail Patches Vulnerability
H-50: HP-UX SYN Flood and libXt patches
H-51: Vulnerability in libXt
H-52: IRIX csetup Program Vulnerability

Version: 4.0 Business Edition


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH