Bugtraq mailing list archives

Re: CGI security

From: vlad () SANDY RU (Vladimir Dubrovin)
Date: Tue, 14 Sep 1999 12:34:56 +0400


Hello Ivo van der Wijk,

13.09.99 12:49, you wrote: CGI security;

I> On Sun, Sep 12, 1999 at 09:57:35AM -0500, Kerb wrote:

I just read most of the Phrack article about CGI security, and it made me
wonder about another possible exploit.
You'll have to correct me if I am wrong, as I am not real familiar with C, but
would it be possible to throw an EOF
character into a string?  Maybe a query string?  Now that doesnt sound all that
great as is, but if you think about it,
URL's are logged into the web logs, and a lot of administrators either have a
program or just grep the access_log for
attempts to exploit CGI vulnerabilities (scanners, etc).  Now this is where it
gets good.  Would it be possible to
tack an EOF file into a query string on a normal request, even for a static
page (/index.html?EOF), then follow up
with an exploit?  That way, if it works as I think it might, then when the log
file is checked, it finds that EOF character
and stops there, thinking it is the end of the file.  That would effectively
cover your tracks.  As a CGI programmer,
I'd appreciate any feedback.


I> EOF characters don't exist (at least not on Un*x) - a file ends when all of its

Only if program has an error, something like

char c;
...
while( ( c = getchar() ) != EOF )
...

in  this  case  uchar  255 will  as EOF. Sometimes novices make errors
like this.

I> bytes have been read.

But  there  is  EOL  character ('\0'.). If you will use something like
"/index.html?%00xxxxxxxxxxxxxxxxx" xxxxxxxxxxxxxxxxx propably will not
appear in any logs at all.

This  can  be used to hide some attacks - then GET method is used null
characters  are  passed to stdin. In this case all arguments with null
characters  will  be  correctly  processed unless program doesn't uses
str*() routins to process arguments.

I  can imagine few situation where this can cause new buffer overflows
(for  example  script  uses  strlen()  to  allocate  memory  space for
argument,  but  uses  memcpy()  with  len  counted  from stdin to copy
argument itself) but i don't think you can meet it in real life.

  +=-=-=-=-=-=-=-=-=+
  |Vladimir Dubrovin|
 =+=-=-=-=-=-=-=-=-=+=-=

Current thread:

Redhat 6.0 Password Issues root3d (Sep 08)
- <Possible follow-ups>
- Re: Redhat 6.0 Password Issues Josh Higham (Sep 10)
  - Re: Redhat 6.0 Password Issues Erik Parker (Sep 11)
  - Re: Redhat 6.0 Password Issues Alan Brown (Sep 11)
    - CGI security Kerb (Sep 12)
    - Re: CGI security Ivo van der Wijk (Sep 13)
    - Re: CGI security Vladimir Dubrovin (Sep 14)
    - Re: CGI security Arturo Busleiman (Sep 14)
    - Multiple vulnerabilities in CDE Job de Haas (Sep 13)
    - Re: Multiple vulnerabilities in CDE Troy A. Bollinger (Sep 13)
    - Re: Multiple vulnerabilities in CDE Dan Astoorian (Sep 14)
    - Vulnerability in dtspcd Job de Haas (Sep 13)
    - Solaris 2.7 /usr/bin/mail Brock Tellier (Sep 13)
    - Stack Shield 0.5 beta vendicator () USA NET (Sep 13)
    - Re: Redhat 6.0 Password Issues Scott Manley (Sep 12)
    - Re: Redhat 6.0 Password Issues Roger Espel Llima (Sep 12)
    - Vulnerability in dtsession Job de Haas (Sep 13)

(Thread continues...)