COMMAND
sdbsearch.cgi
SYSTEMS AFFECTED
SuSE 6.x, 7.x
PROBLEM
Maurycy Prodeus found following. He found weakness in
sdbsearch.cgi script which is a part of Suse distribution. This
is perl script and since Suse 7.1 they have introduced some form
of protection (interpreter is called with tainting checking).
Sdbsearch.cgi trusts content of HTTP_REFERER variable which is
set by client side during http's requests. Piece of this data is
used to locating file with keywords and referenced files. If
there is possiblity to put such file on attacked host (i.e.
upload through ftpd) with special content, sdbsearch will use
open() to get access to match files. So we can make standard
open() pipe based attack (only without -T option). Name of
uploaded file has to be "keylist.txt" because we manipulate only
on pathname, using double dots.
Proof of concept is very simple, just create harmful keylist.txt
for instance in /tmp directory and send request to http server
like this:
GET /cgi-bin/sdbsearch.cgi?stichwort=keyword HTTP/1.0
Referer: http://szachy.org/../../../../../tmp
(very deep traversal because we don't know what is DOCUMENT_ROOT)
and an example content of our /tmp/keylist.txt create like this:
$ echo -e "keyword\0touch exploitable|" > /tmp/keylist.txt
After successful attempt there will be "exploitable" file in /tmp
directory.
SOLUTION
Suse 6.x 7.x (7.1 and 7.2 have tainting protection, but even then
we can pass sdbsearch files which shouldn't be read). Just filter
HTTP_REFERER variable.
Official fix:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/doc1/sdb-2001.5.15-6.noarch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/sdb-2001.5.15-6.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.1/doc1/sdb-2001.1.18-2.noarch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/sdb-2001.1.18-2.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/doc1/sdb-2000.7.14-3.noarch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/sdb-2000.7.14-3.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/doc1/sdb-2000.3.13-1.noarch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/sdb-2000.3.13-1.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/doc1/sdb-99.11.8-10.noarch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/sdb-99.11.8-10.src.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/doc1/sdb-2001.1.18-0.noarch.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/sdb-2001.1.18-0.src.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/doc1/sdb-2000.7.14-0.noarch.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/sdb-2000.7.14-0.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/7.1/doc1/sdb-2001.1.18-0.noarch.rpm
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/sdb-2001.1.18-0.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/7.0/doc1/sdb-2000.7.14-0.noarch.rpm
ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/sdb-2000.7.14-0.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/doc1/sdb-2000.3.13-0.noarch.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/sdb-2000.3.13-0.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/doc1/sdb-99.11.8-2.noarch.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/sdb-99.11.8-2.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/doc1/sdb-2001.1.18-0.noarch.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/sdb-2001.1.18-0.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/doc1/sdb-2000.7.14-0.noarch.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/sdb-2000.7.14-0.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/doc1/sdb-2000.3.13-0.noarch.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/sdb-2000.3.13-0.src.rpm