COMMAND
wrap.cgi, handler.cgi, day5datacopier.cgi, day5notifier.cgi
SYSTEMS AFFECTED
IRIX 6.2
PROBLEM
If you checked for httpd #2 under IRIX section on Security Bugware
you know about webdist.cgi vulnerability. Yuri Volobuev had more
to say about IRIX www security. The following text is his credit.
webdist.cgi has brothers. cgi-bin/wrap, as J.A. Gutierrez kindly
pointed out, can be used to list any directory on the system.
The script itself is capable of doing even more damage, but it's
saved by the fact that it uses ARGV[0], and httpd escapes all
metacharacters in ARGV. Script attempts to do some security
checks, but the only one that actually prevents it from being
exploited is the test for file existence. See notes on tardist
below.
wrap is designed to work in tandem with /cgi-bin/handler, which
could be used to download any file under htdocs. That probably
doesn't sound too bad, but it is. When users are added using
Irix GUI, a symlink from /var/www/htdocs to ~luser/public_html is
created. Now, many users like playing with CGI scripts, which
are enabled for everybody in default Irix httpd config.
Exploiting unknown CGI script is a tedious task and requires some
vivid imagination. handler can simplify that. You just download
the .cgi file and look at it. Or may be web man has protected
some directory by index.html and/or .htaccess. wrap+handler will
happily ignore all of them and allow you to grab what you want
(.htpasswd, for instance). See example below. Note, that it's
actually a FEATURE, not a bug, just use the script the way it was
designed to work.
Apart from nice scripts in /cgi-bin, there's a load of goods in
/WhatsNew. It's just an amazing pile of crap. Thanks Lord it's
protected by .htaccess which only allows access from localhost,
otherwise it's just a remote root hole right there. It has 32
CGI scripts, and as if it wasn't enough, there're two root-suid
binaries that do most of the work, plus a root crontab entry
Mike Neuman's right, there's no need to be smart here. Both
day5datacopier and day5notifier (search on IRIX section under
Securiry Bugware for description) are written in a genuine SGI
root-suid style, i.e. both execute external programs while
euid=0 using system() _without_ using absolute path.
day5datacopier calls cp first, day5notifier calls ps. Put
necessary programs with right names first in PATH and enjoy.
Default Irix config has Netscape, which comes with _rich_ mailcap
file. Several entries deserve honorable mentions there, but
perhaps application/x-tardist one is the best. When poor surfer
clicks on the link that feeds that MIME type to Netscape, per
mailcap it invokes /usr/sbin/tardist on it. tardist file is just
a tar file that contains a distribution in Irix "dist" format.
So tardist creates a subdirectory in /tmp, untars tmp file
supplied by netscape, and runs swmgr. Now I'm an evil guy. I
have that link on my page, disguised by javascript, that is
actually a CGI script that checks Agent header for SGI-"enhanced"
netscape. If it's there, it fingers host where request is coming
from, look at idle time and ttys to find out which luser runs
netscape and what is is home directory, and send reply on
application/x-tardist type that consists of a tar file that
contains ../../usr/people/luser/.rhosts. Luser, after clicking
on that link, suddenly sees a window prompting for a root
password (it's swmgr running). Luser quickly clicks Cancel, but
it's too late. tar file was already unpacked, and luser has no
idea what's happened. Of course, there're many ways to use this,
for instance, create directory /var/www/htdocs/blah;/tmp/myscript
and /tmp/myscript, and then check out (yes, /var/www/htdocs is
world-writable):
http://victim/cgi-bin/wrap/blah;/tmp/myscript
/usr/local/lib/netscape/mailcap on Irix is loaded with crap.
Luckily most of the entries use programs that don't exist on the
box I use, but what I can see there gives me shivers.
Sure, having booby traps on one's web page is lame, but, as it was
wonderfully said in "12 monkeys", "This woman is my psychiatrist.
..." fill the gap yourself.
SOLUTION
Nuke it all. Nothing useful there. Uninstall all packages that
contains WWW stuff:
notably outbox.sw.webdist,
whatsnew.doc.whatsnew,
whatsnew.sw.whatsnew
whatsnew.registration.whatsnew
See what's left in /var/www/htdocs /var/www/cgi-bin, and
uninstall it too. Purge mailcap ruthlessly. Remember, _all_ WWW
stuff from SGI is potentially dangerous, don't take any chances.
And, even better, write an angry letter to SGI.
You may patch them (wrap and handler):
*** handler.orig Wed Jul 23 20:49:26 1997
--- handler Wed Jul 23 20:55:25 1997
***************
*** 26,31 ****
--- 26,32 ----
$pathRoot = $_[$#_] ;
$doc = $ROOT.$PATH ;
+ $_ = $PATH;
&ErrBadPath unless &ValidPath ; # Check for server spoofing
#__________________________________________________________
***************
*** 108,113 ****
--- 109,117 ----
sub ValidPath
{
+ # suggested by drazvan@kappa.ro
+ if (/[|;]/) { return '' };
+
return 1 unless /\.\./ ;
return '' if /^\.\./ ;
***************
*** 117,120 ****
--- 121,136 ----
return 1 ;
}
+ sub ErrBadPath
+ {
+ print <<ENDOFTEXT ;
+ Content-type: text/html
+ <HEAD><TITLE>404 Not Found</TITLE></HEAD>
+ <BODY><H1>404 Not Found</H1>
+ The requested URL $PATH was not found on this server.<P>
+ </BODY>
+ ENDOFTEXT
+
+ die ;
+ }
*** wrap.orig Wed Jul 23 20:51:08 1997
--- wrap Wed Jul 23 20:51:08 1997
***************
*** 66,71 ****
--- 66,74 ----
$doc = $ROOT.$PATH ;
&DefaultMesg if ! defined $PATH || $PATH eq "" ; # Get a base listing =)
+
+ $_ = $PATH;
+
&ErrBadPath unless &ValidPath ; # Check for server spoofing
&ErrBadPath unless -e $doc ; # Check to see it exists
&HandleDownload if -f $doc ; # Do the right thing
***************
*** 242,247 ****
--- 245,253 ----
sub ValidPath
{
+ # suggested by drazvan@kappa.ro
+ if (/[|;]/) { return '' };
+
return 1 unless /\.\./ ;
return '' if /^\.\./ ;