-----BEGIN PGP SIGNED MESSAGE-----
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Vulnerability in webdist.cgi
May 6, 1997 22:00 GMT Number H-53
______________________________________________________________________________
PROBLEM: A vulnernability exists in the webdist.cgi cgi-bin program.
PLATFORM: IRIX 5.x and 6.x running Mindshare Out Box package.
DAMAGE: Both local and remote users may be able to execute arbitrary
commands with the privileges of the httpd daemon.
SOLUTION: Until patches are available, take the steps outlined in Section
III as soon as possible. If the package is not required, it is
recommended that sites remove it from their systems.
______________________________________________________________________________
VULNERABILITY Exploit details involving this vulnerability have been made
ASSESSMENT: publicly available.
______________________________________________________________________________
[****** Start AUSCERT Advisory ******]
===========================================================================
AA-97.14 AUSCERT Advisory
SGI IRIX webdist.cgi Vulnerability
7 May 1997
Last Revised: --
- ----------------------------------------------------------------------------
AUSCERT has received information of a security vulnerability in the
webdist.cgi cgi-bin program, part of the IRIX Mindshare Out Box package,
available with IRIX 5.x and 6.x. By exploiting this vulnerability, both
local and remote users may be able to execute arbitrary commands with the
privileges of the httpd daemon. This may be used to compromise the http
server and under certain configurations gain privileged access.
Currently there are no official vendor patches available which address
the vulnerability described in this advisory. We recommend that sites
prevent the exploitation of this vulnerability by immediately applying
the workaround given in Section 3.1. If the package is not required, we
recommend removing it from their systems.
When official vendor patches are made available, they should be applied
as soon as possible.
We will update this advisory as we receive additional information. Please
check our advisory files regularly for updates that relate to your site.
Note: Development of this advisory was a joint effort of the CERT
Coordination Center and AUSCERT. This material was also released as
CERT Advisory CA-97.12.
- - ---------------------------------------------------------------------------
1. Description
A security vulnerability has been reported in the webdist.cgi cgi-bin
program available with IRIX 5.x and 6.x. webdist.cgi is part of the
IRIX Mindshare Out Box software package, which allows users to install
software over a network via a World Wide Web interface.
webdist.cgi allows webdist(1) to be used via an HTML form interface
defined in the file webdist.html, which is installed in the default
document root directories for both the Netsite and Out Box servers.
Due to insufficient checking of the arguments passed to webdist.cgi,
it may be possible to execute arbitrary commands with the privileges
of the httpd daemon. This is done via the webdist program.
When installed, webdist.cgi is accessible by anyone who can connect to
the httpd daemon. Because of this, the vulnerability may be exploited by
remote users as well as local users. Even if a site's webserver is
behind a firewall, it may still be vulnerable.
Determining if your site is vulnerable
--------------------------------------
All sites are encouraged to check their systems for the IRIX Mindshare
Out Box software package, and in particular the Webdist Software
package which is a subsystem of the Mindshare Out Box software package.
To determine if this package is installed, use the command:
# versions outbox.sw.webdist
I = Installed, R = Removed
Name Date Description
I outbox 11/06/96 Outbox Environment, 1.2
I outbox.sw 11/06/96 Outbox End-User Software, 1.2
I outbox.sw.webdist 11/06/96 Web Software Distribution Tools, 1.2
2. Impact
Local and remote users may be able to execute arbitrary commands on
the HTTP server with the privileges of the httpd daemon. This may be
used to compromise the http server and, under certain configurations,
gain privileged access.
3. Workarounds/Solution
Silicon Graphics Inc. has informed AUSCERT that they are aware of
the vulnerability described in this advisory and are currently
investigating the problem.
There are no official vendor patches available at this time which
address this vulnerability. We recommend that sites prevent the
exploitation of this vulnerability by immediately applying the
workaround given in Section 3.1, or removing the package from their
systems (Section 3.2).
When vendor patches are made available, we recommend that sites apply
them as soon as possible.
3.1 Remove execute permissions
Sites should immediately remove the execute permissions on the
webdist.cgi program to prevent its exploitation. By default,
webdist.cgi is found in /var/www/cgi-bin/, but sites should check all
cgi-bin directories for this program.
# ls -l /var/www/cgi-bin/webdist.cgi
-rwxr-xr-x 1 root sys 4438 Nov 6 12:44 /var/www/cgi-bin/webdist.cgi
# chmod 400 /var/www/cgi-bin/webdist.cgi
# ls -l /var/www/cgi-bin/webdist.cgi
-r-------- 1 root sys 4438 Nov 6 12:44 /var/www/cgi-bin/webdist.cgi
Note that this will prevent all users from using the webdist program
from the HTML form interface.
3.2 Remove outbox.sw.webdist subsystem
If the Webdist software is not required, we recommend that sites remove
it completely from their systems. This can be done with the command:
# versions remove outbox.sw.webdist
Sites can check that the package has been removed with the command:
# versions outbox.sw.webdist
4. Additional Measures
Sites should consider taking this opportunity to examine their entire
httpd configuration. In particular, all CGI programs that are not
required should be removed, and all those remaining should be examined
for possible security vulnerabilities.
It is also important to ensure that all child processes of httpd are
running as a non-privileged user. This is often a configurable option.
See the documentation for your httpd distribution for more details.
Numerous resources relating to WWW security are available. The
following pages may provide a useful starting point. They include
links describing general WWW security, secure httpd setup, and secure
CGI programming.
The World Wide Web Security FAQ:
http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html
NSCA's "Security Concerns on the Web" Page:
http://hoohoo.ncsa.uiuc.edu/security/
The following book contains useful information including sections on
secure programming techniques.
_Practical Unix & Internet Security_, Simson Garfinkel and
Gene Spafford, 2nd edition, O'Reilly and Associates, 1996.
Please note that the CERT/CC and AUSCERT do not endorse the URLs that
appear above. If you have any problems with these sites, please contact
the site administrator.
- ------------------------------------------------------------------------------
This advisory is a collaborative effort between AUSCERT and the CERT
Coordination Center. This material was also released as CERT Advisory
CA-97.12.
[****** End AUSCERT Advisory ******]
______________________________________________________________________________
CIAC wishes to acknowledge the contributions of AUSCERT, CERT, Yuri Volobuev,
Martin Nicholls (The University of Queensland) & Ian Farquhar of Silicon
Graphics, Inc. for the information contained in this bulletin.
______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 510-422-8193
FAX: +1 510-423-8002
STU-III: +1 510-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://ciac.llnl.gov/
Anonymous FTP: ciac.llnl.gov (128.115.19.53)
Modem access: +1 (510) 423-4753 (28.8K baud)
+1 (510) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.
Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, ciac-notes, spi-announce OR spi-notes for list-name:
E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
subscribe list-name
e.g., subscribe ciac-notes
You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email. This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.
If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
H-45: Windows NT SAM permission Vulnerability
H-46: Vulnerability in IMAP and POP
H-47A: AOL4FREE.COM Trojan Horse Program Destroys Hard Drives
H-48: Internet Information Server Vulnerability
H-49: NLS Buffer Overflow Vulnerability
H-22a: talkd Buffer Overrun Vulnerability
H-29a: HP-UX sendmail Patches Vulnerability
H-50: HP-UX SYN Flood and libXt patches
H-51: Vulnerability in libXt
H-52: IRIX csetup Program Vulnerability
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBM3d+S7nzJzdsy3QZAQHGoAQA/Fm/IHuyE+cRV9HYXgG4MosyG7MXVCIg
Bt6U+9zx17OROcjPGAIWW3f9bHF/aQhZHMiSdAI69LIBUdEKnllL3OYyOP/fmx1e
KpelPF16vZlDSlKayeFSaT3ZtzWK18AjqsOEbdNdzU+T+Ep5TQpeU7O6DIwcWKWF
JZm9bnTagwM=
=1eIR
-----END PGP SIGNATURE-----
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
