From: ajung@hssun5.cs.uni-sb.de (Andreas Jung) Newsgroups: de.comp.security Subject: Sicherheitsloch in CGI Skripten Date: 29 May 1996 14:32:31 GMT Vielleicht ist das folgende Sicherheitsloch in CGI Skripten auch schon bekannt: Oft werden Argumente des CGI-Skripts fuer Shell Aufrufe innerhalb eines Skripts verwendet, z.B. bekommt ein CGI Skript ueber ein Formular einen Usernamen USER mitgeteilt. Innerhalb des Skriptes steht dann meistens ein finger $USER Gibt nun ein boeser Mensch "username; mail Also theoretisch ist jeder Server, der in seinen CGI-BINs VH> cgiparse -init VH> aus der W3O-Distribution (ex Cern) verwedet, so offen, weil man unter VH> der UserID des WWW-Servers jedes beliebige Shell-Kommando ablaufen VH> lassen kann. Ich hab neulich in der bugtraq Liste was ueber einen Fehler gelesen. Mit illegalen Steuerzeichen kann man cgi-bin's missbrauchen. Meinst Du sowas? Gruss Michael ---------------------------------------------------------------- Newsgroups: de.org.ccc From: root@munster.dg8mgv.ampr.org (Valentin Hilbig) Subject: Re: WWW-Pages Hacken Reply-To: Valentin.Hilbig@public.uni-augsburg.de Date: Sun, 25 Feb 1996 09:09:50 GMT In article , Michael_Holzt@sp-dgd.mark.sub.de (Michael Holzt) writes: |> Am Montag, 19 Februar 1996 um 07:12 schrieb Valentin Hilbig an All: |> |> VH> Also theoretisch ist jeder Server, der in seinen CGI-BINs |> VH> cgiparse -init |> VH> aus der W3O-Distribution (ex Cern) verwedet, so offen, weil man unter |> VH> der UserID des WWW-Servers jedes beliebige Shell-Kommando ablaufen |> VH> lassen kann. |> |> Ich hab neulich in der bugtraq Liste was ueber einen Fehler gelesen. Mit illegalen Steuerzeichen kann man cgi-bin's missbrauchen. Meinst Du sowas? Also illegal sind die Steuerzeichen ganz und gar nicht, aber ich kenne die bugtraq-Liste nicht. N"achste Woche kommt zu ``meinem'' Fehler ein Cert-Advisatrory #34784 raus und ein Patch der Entwickler findet sich schon unter http://www.w3.org/pub/WWW/Daemon/User/CGI/cgiparse.html Tino PS: Ich habe in CGIparse.c ansonsten KEINE Fehler finden k"onnen. H"ochstens wenn die SHELL buggy ist k"onnte es Probleme geben. -- Valentin.Hilbig@public.uni-augsburg.de http://www.public.uni-augsburg.de/~tino/ Text entsp. Art. 2+5 GG, Par. 193 StGB, Par. 51+97 StPO; Gerichtsstand Augsburg This is meta news: Wrap your favorite greeting and closing around this message. ------------------------------------------------------------------------- From: dnaber@pluto.teuto.de (Daniel Naber) Newsgroups: de.comp.security Subject: Re: Sicherheitsloch in CGI Skripten Date: Wed, 29 May 1996 16:58:00 GMT Organization: private site ajung@hssun5.cs.uni-sb.de (Andreas Jung ) wrote: > Vielleicht ist das folgende Sicherheitsloch in CGI Skripten > auch schon bekannt: Das sollte den meisten bekannt sein, aber wer daraus die Schlussfolgerung zieht, man muesse alle Meta-Characters escapen, sollte aufpassen: Auch \n wird von Shells als Beginn eines neuen Befehls interpretiert, viele vergessen das. Wenn ich das richtig im Kopf habe, war genau das auch ein Bug in den CGI-Beispielen des Apache <= 1.0.3. MfG Daniel Naber -------------------------------------------------------------------------- Date: Wed, 29 May 1996 13:45:40 -0400 From: CERT Advisory To: cert-advisory@cert.org Subject: CERT Advisory CA-96.11 - Interpreters in CGI bin Directories Reply-To: cert-advisory-request@cert.org Organization: CERT(sm) Coordination Center - +1 412-268-7090 -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT(sm) Advisory CA-96.11 May 29, 1996 Topic: Interpreters in CGI bin Directories - ----------------------------------------------------------------------------- Many sites that maintain a Web server support CGI programs. Often these programs are scripts that are run by general-purpose interpreters, such as /bin/sh or PERL. If the interpreters are located in the CGI bin directory along with the associated scripts, intruders can access the interpreters directly and arrange to execute arbitrary commands on the Web server system. This problem has been widely discussed in several forums. Unfortunately, some sites have not corrected it. The CERT Coordination Center recommends that you never put interpreters in a Web server's CGI bin directory. As we receive additional information relating to this advisory, we will place it in ftp://info.cert.org/pub/cert_advisories/CA-96.11.README We encourage you to check our README files regularly for updates on advisories that relate to your site. - ----------------------------------------------------------------------------- I. Description To execute CGI scripts, a Web server must be able to access the interpreter used for that script. Early documentation for Netscape and other servers recommended placing the interpreters in the CGI bin directory to ensure that they were available to run the script. All programs in the CGI bin directory can be executed with arbitrary arguments, so it is important to carefully design the programs to permit only the intended actions regardless of what arguments are used. This is difficult enough in general, but is a special problem for general-purpose interpreters since they are designed to execute arbitrary programs based on their arguments. *All* programs in the CGI bin directory must be evaluated carefully, even relatively limited programs such as gnu-tar and find. Note that the directory for CGI programs is typically called "cgi-bin" but the server may be configured to use a different name. II. Impact If general-purpose interpreters are accessible in a Web server's CGI bin directory, then a remote user can execute any command the interpreters can execute on that server. III. Solution The solution to this problem is to ensure that the CGI bin directory does not include any general-purpose interpreters, for example + PERL + Tcl + UNIX shells (sh, csh, ksh, etc.) A variety of methods can be used to safely install such interpreters; methods vary depending on the system and Web server involved. On Unix systems, the location of the interpreter is given on the first line of the script: #! /path/to/interpreter On other systems, such as NT, there is an association between filename extensions and the applications used to run them. If your Web server uses this association, you can give CGI scripts an appropriate suffix (for example, ".pl" for PERL), which is registered to the appropriate interpreter. This avoids the need to install the interpreter in the CGI bin directory, thus avoiding the problem. Check with your Web server vendor for specific information. Netscape reports that the 2.0 versions of their FastTrack and Enterprise Servers, (both the current Beta and upcoming final versions), do support file interpreter associations. Further reading: Tom Christiansen has a Web page with details about this problem and a script that can be used to test for it: http://perl.com/perl/news/latro-announce.html Lincoln Stein's WWW Security FAQ includes a section on "Problems with Specific Servers," which discusses this and related problems: http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.html - --------------------------------------------------------------------------- The CERT Coordination Center thanks Lincoln Stein, Tom Christiansen, and the members of AUSCERT and DFN-CERT for their contributions to the information in this advisory. - --------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key CERT Contact Information - ------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included. CERT is a service mark of Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaxzTnVP+x0t4w7BAQETdwP/b33r0mLCZhHJDWeFFYGD7tSfBxgSn+lz +9YoVJRCR/V54KGvsjN6Wya7rpIjgJRYhLp3B5C/hy9ApYX5ec44AKzYswgcW194 cHyj6bg6qZHEQMRk3R6xsXks19zsvEmN+N7xCJuR8gF1/XEUqY/fSB8xsaLNQ2Cl ZegRkaV/WUo= =LwbY -----END PGP SIGNATURE-----