[NT] Vulnerability in Apache for Win32 Batch File Processing (Remote Command Execution)
From: support@securiteam.comDate: 03/23/02
- Previous message: support@securiteam.com: "[EXPL] phpBB2 Remote Execution Command (db.php)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sat, 23 Mar 2002 12:17:35 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Vulnerability in Apache for Win32 Batch File Processing (Remote Command
Execution)
------------------------------------------------------------------------
SUMMARY
Because of the way Apache web server handles DOS batch scripts it is
possible to execute remote commands on the web server by using the pipe
('|') character.
DETAILS
Vulnerable systems:
* Apache version 1.3.23
* Apache version 2.0.28-BETA (By default includes /cgi-bin/test-cgi.bat
file which enables this attack)
Immune systems:
* Apache version 1.3.24
* Apache version 2.0.34-beta
When a request for a DOS batch file (.bat or .cmd) is sent to an Apache
web server, the server will spawn a shell interpreter (cmd.exe by default)
and will run the script with the parameters sent to it by the user.
Because no proper validation is done on the input, it is possible to send
a pipe character ('|') with commands appended to it as parameters to the
CGI script, and the shell interpreter will execute them.
Example:
1)
http://TARGET/cgi-bin/test-cgi.bat?|copy+..\conf\httpd.conf+..\htdocs\httpd.conf
This request will copy the httpd.conf file residing in the /conf directory
of the Apache installation, into the virtual web root where it can be
viewed by any user.
2) http://TARGET/cgi-bin/test-cgi.bat?|echo+Foobar+>>+..\htdocs\index.html
This will append the string "Foobar" to the index.html file residing in
the virtual web root directory.
3) http://TARGET/cgi-bin/test-cgi.bat?|dir+c:+>..\htdocs\dir.txt
This will create a file containing the directory listing of the C: drive,
and will put the file in the virtual web root, where any user can read it.
Notes:
1) URL-Decoding is not provided by Apache except for the '+' character
which is substituted by a space character.
2) Spilling the output into the STDOUT would most likely cause Apache to
write an error message since it expects the STDOUT of a CGI script to have
an HTTP response format (potential HTTP headers followed by a mandatory
blank line followed by a response body). Therefore in order to view the
result of a command, it is recommended that you redirect the output to a
file under the web server's virtual root.
Solution:
Upgrade your Apache web server to: 1.3.24, or 2.0.34-beta (which will be
published soon). Download files are located at:
<http://www.apache.org/dist/httpd/> http://www.apache.org/dist/httpd/
ADDITIONAL INFORMATION
The information has been provided by <mailto:ORY.SEGAL@SANCTUMINC.COM>
Ory Segal.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[EXPL] phpBB2 Remote Execution Command (db.php)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
