A locally and possibly remotely exploitable format

strings bug exists 

in cgiwrap available from  

http://cgiwrap.sourceforge.net/

http://sourceforge.net/projects/cgiwrap

http://www.freebsd.org/ports/security.html 



I. BACKGROUND



This is CGIWrap - a gateway that allows more secure

user access to

CGI programs on an HTTPd server than is provided by the

http server

itself. The primary function of CGIWrap is to make

certain that

any CGI script runs with the permissions of the user

who installed

it, and not those of the server.



CGIWrap works with NCSA httpd, Apache, CERN httpd,

NetSite Commerce

and Communications servers, and probably any other Unix

based web

server software that supports CGI.



II. DESCRIPTION



On line 91 of msgs.c the printf() function is used

incorrectly. Which 

results

in a format strings vulnerability.

<snip>

void MSG_Error_General(char *message)

{

        MSG_Header("CGIWrap Error", message);

        printf(message); 

        MSG_Footer();

        exit(1);

}

</snip>



The binaries in cgiwrap, (cgiwrap and nph-cgiwrap) are

installed setuid 

root.

Thus could make this format problem exploitable locally

to gain root 

privs or

possably remotely to gain root or the privs of the user

who owns the cgi 

script.



III. ANALYSIS

An attacker could exploit this issue to escalate privs

locally or 

remotely on

a server running cgiwrap.



IV. DETECTION



This is vulnerable in the latest version of cgiwrap

version 3.7.1 and 

properly

older versions(not checked). It would be exploitable on

any Linux/Unix 

based OS

running cgiwrap 



V. VENDOR

The vendor has not been contacted about this issue.



Regards

b0f  (Alan M)

www.b0f.net