Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

RE: Format strings vuln in CGIwrap
From: "Neulinger, Nathan" <nneul () umr edu>
Date: Wed, 23 Apr 2003 11:59:15 -0500
This is not a security problem. This is a case of using an automated
tool to find these vulnerabilites and not attempting to understand the
code itself. 

Nowhere in the code is MSG_Error_General() passed anything other than a
static compiled-into-the-executable string. It's purely a utility
function to wrap common error text/footer/etc. around a generic string.

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul () umr edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216



-----Original Message-----
From: security-bounces+nneul=umr.edu () lists umr edu 
[mailto:security-bounces+nneul=umr.edu () lists umr edu] On 
Behalf Of b0f www.b0f.net
Sent: Wednesday, April 23, 2003 11:06 AM
To: bugtraq () securityfocus com
Subject: Format strings vuln in CGIwrap




A locally and possibly remotely exploitable format
strings bug exists 
in cgiwrap available from  
http://cgiwrap.sourceforge.net/
http://sourceforge.net/projects/cgiwrap
http://www.freebsd.org/ports/security.html 

I. BACKGROUND

This is CGIWrap - a gateway that allows more secure
user access to
CGI programs on an HTTPd server than is provided by the
http server
itself. The primary function of CGIWrap is to make
certain that
any CGI script runs with the permissions of the user
who installed
it, and not those of the server.

CGIWrap works with NCSA httpd, Apache, CERN httpd,
NetSite Commerce
and Communications servers, and probably any other Unix
based web
server software that supports CGI.

II. DESCRIPTION

On line 91 of msgs.c the printf() function is used
incorrectly. Which 
results
in a format strings vulnerability.
<snip>
void MSG_Error_General(char *message)
{
        MSG_Header("CGIWrap Error", message);
        printf(message); 
        MSG_Footer();
        exit(1);
}
</snip>

The binaries in cgiwrap, (cgiwrap and nph-cgiwrap) are
installed setuid 
root.
Thus could make this format problem exploitable locally
to gain root 
privs or
possably remotely to gain root or the privs of the user
who owns the cgi 
script.

III. ANALYSIS
An attacker could exploit this issue to escalate privs
locally or 
remotely on
a server running cgiwrap.

IV. DETECTION

This is vulnerable in the latest version of cgiwrap
version 3.7.1 and 
properly
older versions(not checked). It would be exploitable on
any Linux/Unix 
based OS
running cgiwrap 

V. VENDOR
The vendor has not been contacted about this issue.

Regards
b0f  (Alan M)
www.b0f.net
_______________________________________________
UMR Security List Exploder
security () lists umr edu
https://lists.umr.edu/mailman/listinfo/security

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]