OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ory Segal (ORY.SEGALSANCTUMINC.COM)
Date: Thu Mar 21 2002 - 11:06:46 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Vulnerability in Apache for Win32 batch file processing - Remote command
    execution

    => Author: Ory Segal, Sanctum inc. http://www.sanctuminc.com

    => Release date: March, 21st 2002 (Vendor was notified at: Feb. 13th 2002)

    => Vendor: Apache group

    => Product: Apache web server (Win32) - Running DOS batch files
                Tested on:
                 - Apache 1.3.23
                 - Apache 2.0.28-BETA (By default includes /cgi-bin/test-cgi.bat
    file which
                   enables this attack)

    => Severity: High, remote command execution and arbitrary file viewing.

    => CVE candidate: CAN-2002-0061
       (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0061)

    => Summary: Because of a the way Apache web server handles DOS batch scripts
    it is possible to execute remote commands on the web server by using the
    pipe ('|') character.

    ** IMPORTANT **
    The Apache 2.0.x installation is shipped with the default script
    /cgi-bin/test-cgi.bat
    which can be exploited, but it should be noted that ANY '.bat' or '.cmd'
    script
    will allow exploitation of this vulnerability.

    => Description: When a request for a DOS batch file (.bat or .cmd) is sent
    to an Apache
    web server, the server will spawn a shell interpreter (cmd.exe by default)
    and
    will run the script with the parameters sent to it by the user. Because no
    proper validation is done on the input, it is possible to send a pipe
    character
    ('|') with commands appended to it as parameters to the CGI script, and the
    shell
    interpreter will execute them.

    Example:

    1)
    http://TARGET/cgi-bin/test-cgi.bat?|copy+..\conf\httpd.conf+..\htdocs\httpd.
    conf

    This request will copy the httpd.conf file residing in the /conf directory
    of the Apache
    installation, into the virtual web root where it can be viewed by any user.

    2) http://TARGET/cgi-bin/test-cgi.bat?|echo+Foobar+>>+..\htdocs\index.html

    This will append the string "Foobar" to the index.html file residing in the
    virtual
    web root directory.

    3) http://TARGET/cgi-bin/test-cgi.bat?|dir+c:+>..\htdocs\dir.txt

    This will create a file containing the directory listing of the C: drive,
    and will put the file in the virtual web root, where any user can read it.

    ** Notes:

    1) Url-Decoding is not provided by Apache except for the '+' character which
    is substituted by a space character.

    2) Spilling the output into the STDOUT would most likely cause Apache to
    write an
    error message since it expects the STDOUT of a CGI script to have an HTTP
    response format
    (potential HTTP headers followed by a mandatory blank line followed by a
    response body).
    Therefore in order to view the result of a command, it is recommended that
    you redirect
    the output to a file under the web server's virtual root.

    => Solution: Upgrade your Apache web server to: 1.3.24 (which should be
    available later
    today), or 2.0.34-beta (which will be published soon). Downloads are located
    at:
    http://www.apache.org/dist/httpd/

     <<apache_advisory.txt>>

              Ory Segal
            Sanctum, Inc.
     http://www.SanctumInc.com/