Re: CGI.pm may assist in IDS evasion

From: Lincoln Yeoh (lyeoh@pop.jaring.my)
Date: 02/27/02 

Date: Wed, 27 Feb 2002 13:45:58 +0800
To: "SecurITeam BugTraq Monitoring" <bugtraq@securiteam.com>, <vuln-dev@securityfocus.com>
From: Lincoln Yeoh <lyeoh@pop.jaring.my>

I don't think this is a vulnerability in CGI.pm. The behaviour is according
to the HTML4 recommendation. It is more of an IDS vulnerability.

http://www.w3.org/TR/html4/appendix/notes.html#h-B.2.2

B.2.2 Ampersands in URI attribute values
The URI that is constructed when a form is submitted may be used as an
anchor-style link (e.g., the href attribute for the A element).
Unfortunately, the use of the "&" character to separate form fields
interacts with its use in SGML attribute values to delimit character entity
references. For example, to use the URI "http://host/?x=1&y=2" as a linking
URI, it must be written <A href="http://host/?x=1&y=2"> or <A
href="http://host/?x=1&y=2">.

We recommend that HTTP server implementors, and in particular, CGI
implementors support the use of ";" in place of "&" to save authors the
trouble of escaping "&" characters in this manner.

At 10:38 PM 25-02-2002 +0200, SecurITeam BugTraq Monitoring wrote:
>Evading IDS detection on CGI attacks
>
>Vulnerable systems:
>CGI.pm
>
>Not Vulnerable:
>ASP, EXE based CGIs, and most other UNIX based CGIs (non CGI.pm) seem to be
>immune
>
>Summary:
>CGI.pm seems to have a different behavior from other CGI parsers. As you can
>notice from the CGI query structure, every value name pair is separated by
>a '&'
>sign. It seems that CGIs based on CGI.pm can parse such value name pairs
>even if
>they are separated by a ';'. The RFC is not very clear on whether '&' and ';'
>should be used, but rather refers them both to Reserved characters. The
>replacing of '&' and ';' enables launching CGI attacks while evading IDS
>detection, because the name value pair breakdown would be done differently.
>
>For example:
>A CGI running under the CGI.pm environment would understand both:
>http://host/cgi-bin/test.cgi?a=b&c=d&e=f
>And
>http://host/cgi-bin/test.cgi?a=b;c=d;e=f
>As:
>A CGI query to test.cgi, with the names of a, c, d, and their corresponding
>values.
>
>Impact:
>
>The next step would be to confirm:
>1) What IDSes are fooled by this attack?
>2) Can this be used to attack other CGI checking mechanisms such as content
>filters, etc?
>3) Perhaps knowing that the remote CGI is based on CGI.pm is dangerous by
>itself?
>
>Thanks
>Noam Rathaus
>http://www.SecurITeam.com
>http://www.BeyondSecurity.com

Relevant Pages

  • [NEWS] CCBills WhereAmI CGI Allows Remote Command Execution
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada. ... to promote the most advanced vulnerability assessment solutions today. ... vulnerability in the CGI allows remote attackers to execute commands on ...
    (Securiteam)
  • Re: New http exploit ???
    ... I guess this is a signature of whisker scan 99%. ... scaned vulnerability of web CGI using `whisker`. ...
    (comp.os.linux.security)
  • [UNIX] Multiple Vulnerabilities in Tiny HTTPd
    ... compromising of the whole system due to command execution vulnerability). ... 111 if (!cgi) // because cgi is not, ... And that the function that executes the CGI in line:185. ... bash$ cat> test; chmod +x test ...
    (Securiteam)
  • ZDI-07-071: HP OpenView Network Node Manager Multiple CGI Buffer Overflows
    ... HP OpenView Network Node Manager Multiple CGI Buffer Overflows ... -- Affected Vendor: ... -- Affected Products: ... vulnerability by Digital Vaccine protection filter ID 4790. ...
    (Bugtraq)
  • [Full-disclosure] ZDI-07-071: HP OpenView Network Node Manager Multiple CGI Buffer Overf
    ... HP OpenView Network Node Manager Multiple CGI Buffer Overflows ... -- Affected Vendor: ... -- Affected Products: ... vulnerability by Digital Vaccine protection filter ID 4790. ...
    (Full-Disclosure)