OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: SCO scohelhttp documentation webserver exposes local files
From: Olle Segerdahl (olle.segerdahlDEFCOM-SEC.COM)
Date: Mon Sep 11 2000 - 02:38:58 CDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

======================================================================
                  Defcom Labs Advisory def-2000-01

             UnixWare 7 scohelphttp exposes local files

Author: Olle Segerdahl <olledefcom-sec.com>
Release Date: 2000-09-11
======================================================================
- ------------------------=[Brief Description]=-------------------------
The search function "/search97cgi/vtopic" used by the UnixWare 7
"scohelphttp" webserver (tcp port 457) contains a bug that lets anyone
with access to scohelphttp view any world-readable file on the host.

- ------------------------=[Affected Systems]=--------------------------
SCO UnixWare 7 with "scohelphttp" enabled (default install)
Possibly other applications using the same, or similar, search97 code.

- ----------------------=[Detailed Description]=------------------------
The view function of the searcg97cgi/vtopic cgi has a parameter called
ViewTemplate that specifies an HTML template file for search results.
(http://unixware7box:457/search97cgi/vtopic?action=view&ViewTemplate=)

The contents of this variable is not checked for "/../" paths, thus
enabling anyone to view any file readable to the webserver process.
The webserver runs as user "nobody" by default, limiting the accesible
files to files that are "world readable" (/etc/passwd not /etc/shadow).

- ---------------------------=[Workaround]=-----------------------------
Run the following commands (as root):

/usr/ns-home/httpd-scohelphttp/stop
/usr/ns-home/httpd-scohelphttp/disable

To stop and disable the scohelphttp webserver. Await fix from SCO.

- -------------------------=[Vendor Response]=--------------------------
This issue was brought to SCO's attention on the 18th of July and was
assigned the ID SCO-375377.

I have, at the time of this release, not yet been informed by SCO of
any adequate fix for this problem, either existing or forthcoming.

Their initial response to my report was (verbatim):
"The search function you refer to is part of the documentation search
facility on a UnixWare 7 system that has scohelphttp(X1M), the man and
scohelp document server, configured and enabled.
Disabling scohelphttp(X1M) will remove the ability to access man pages
and the schelp online help facility on the system. I do consider this
to be a bug in scohelphttp(X1M) and I have raised this issue with out
Engineering group to see if there is a workaround to the problem.
If there is no workaround, I will escalate the issue to be fixed."

On the 31st July I was proposed a fix involving substituting the vtopic
cgi with a shell script wrapper that checked for a dot or a slash
(using "if echo $QUERY_STRING | egrep '(Template=\.|Template=/)'" )
in the first character of the ViewTemplate variable and then ran the
original (unfixed) vtopic cgi.

My reply was that this fix was not only inadequate, I also considered
it to be worse than the original, introducing new problems with shell
meta characters in $QUERY_STRING.

The last communication I recieved from SCO was on August the 8th :
"The search97cgi binary is the problem and I have conveyed a message to
the engineers responsible that the workaround is not acceptable.
As soon as I have any further news of a solution I will let you know."

======================================================================
  This release was brought to you by Defcom Labs of Defcom Security

          labsdefcom-sec.com www.defcom-sec.com
======================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3

iQA/AwUBObx6KirHKk9f1Vz/EQIJhgCfV8LpVHwASzToX3zYiexMoMIsI0IAoLoT
RcCv5O1XIz7g/yW2VGgU41Ec
=20zn
-----END PGP SIGNATURE-----