Bugtraq mailing list archives
RE: [cgiwrap-users] RE: Format strings vuln in CGIwrap
From: "Neulinger, Nathan" <nneul () umr edu>
Date: Wed, 23 Apr 2003 12:04:43 -0500
In any case, I've changed this in cvs so as to avoid setting off any future false-alarms. ------------------------------------------------------------ Nathan Neulinger EMail: nneul () umr edu University of Missouri - Rolla Phone: (573) 341-4841 Computing Services Fax: (573) 341-4216
-----Original Message----- From: Neulinger, Nathan Sent: Wednesday, April 23, 2003 11:59 AM To: b0f www.b0f.net; bugtraq () securityfocus com Cc: cgiwrap-users () lists sourceforge net Subject: [cgiwrap-users] RE: Format strings vuln in CGIwrap This is not a security problem. This is a case of using an automated tool to find these vulnerabilites and not attempting to understand the code itself. Nowhere in the code is MSG_Error_General() passed anything other than a static compiled-into-the-executable string. It's purely a utility function to wrap common error text/footer/etc. around a generic string. -- Nathan ------------------------------------------------------------ Nathan Neulinger EMail: nneul () umr edu University of Missouri - Rolla Phone: (573) 341-4841 Computing Services Fax: (573) 341-4216-----Original Message----- From: security-bounces+nneul=umr.edu () lists umr edu [mailto:security-bounces+nneul=umr.edu () lists umr edu] On Behalf Of b0f www.b0f.net Sent: Wednesday, April 23, 2003 11:06 AM To: bugtraq () securityfocus com Subject: Format strings vuln in CGIwrap A locally and possibly remotely exploitable format strings bug exists in cgiwrap available from http://cgiwrap.sourceforge.net/ http://sourceforge.net/projects/cgiwrap http://www.freebsd.org/ports/security.html I. BACKGROUND This is CGIWrap - a gateway that allows more secure user access to CGI programs on an HTTPd server than is provided by the http server itself. The primary function of CGIWrap is to make certain that any CGI script runs with the permissions of the user who installed it, and not those of the server. CGIWrap works with NCSA httpd, Apache, CERN httpd, NetSite Commerce and Communications servers, and probably any other Unix based web server software that supports CGI. II. DESCRIPTION On line 91 of msgs.c the printf() function is used incorrectly. Which results in a format strings vulnerability. <snip> void MSG_Error_General(char *message) { MSG_Header("CGIWrap Error", message); printf(message); MSG_Footer(); exit(1); } </snip> The binaries in cgiwrap, (cgiwrap and nph-cgiwrap) are installed setuid root. Thus could make this format problem exploitable locally to gain root privs or possably remotely to gain root or the privs of the user who owns the cgi script. III. ANALYSIS An attacker could exploit this issue to escalate privs locally or remotely on a server running cgiwrap. IV. DETECTION This is vulnerable in the latest version of cgiwrap version 3.7.1 and properly older versions(not checked). It would be exploitable on any Linux/Unix based OS running cgiwrap V. VENDOR The vendor has not been contacted about this issue. Regards b0f (Alan M) www.b0f.net _______________________________________________ UMR Security List Exploder security () lists umr edu https://lists.umr.edu/mailman/listinfo/security------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ cgiwrap-users mailing list cgiwrap-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/cgiwrap-users
Current thread:
- RE: [cgiwrap-users] RE: Format strings vuln in CGIwrap Neulinger, Nathan (Apr 23)