Vulnerability of NCSA cgi-bin applications

Alexander O. Yuriev (alex@bach.cis.temple.edu)
Fri, 08 Mar 1996 18:43:00 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: allwyn : "RE: netscape"
Previous message: Michel Lavondes: "Re: Sniffer Detection"
Next in thread: Matt Willis: "Re: Vulnerability of NCSA cgi-bin applications"

I realize that that is not directly related to the mailing list, but it
could be a useful way of alerting people who deal with intrusion detection.
It just happened that a lot of WWW servers run by those people are affected!
:)

        Alex

------STAR OF THE FORWARDED MESSAGE FROM linux-alert-----------------


If you are running NCSA's httpd WWW server (or, conceivably, someone
else's), have compiled the phf.c application found in the NCSA
distribution's cgi-src directory, and have installed it into an area
designated for cgi-bin applications, please 'chmod a-x' it immediately.

(This applies to *at least* the phf.c application as provided with NCSA
httpd versions 1.3 and 1.5a-export; I've not inspected the other
distributions yet.)

Many sites (I've looked around a bit and have had a hit rate of roughly
50% so far, but maybe I'm just "lucky")--including the top-level WWW
servers for some large and/or very high-profile domains--appear to have
"blindly" installed all of the cgi-src applications provided with NCSA's
httpd.  The most notable aspect of this particular cgi-bin
vulnerability, at least to me, is not so much the vulnerability itself
(it's been seen before) but rather its quite widespread nature.

This vulnerability allows a remote client to retrieve any world-readable
file from the server system, as well as execute commands and create
files on the server with the privileges of the euid of the httpd server
process.

Depending on the server's (mis)configuration, this could conceivably be
used as an avenue through which to replace the httpd server binary
itself with a trojan--quite possibly to be run as root during the
system's next boot cycle.  It can also be used, largely independent of
the server system's configuration--and rather easily--to gain remote
interactive access to the server with the userid that the httpd server
runs under.  (I'm sure there are lots of other "nifty" possibilities,
but I first found out about this a just few waking hours ago and have so
far performed only the most basic proof-of-concept exploits.)

More details (full disclosure, etc.) to follow on the linux-security
list and on Bugtraq....

--Up.

P.S. I'll bet everyone just can't wait for Java!

--
Jeff Uphoff - systems/network admin.  |  juphoff@nrao.edu
National Radio Astronomy Observatory  |  juphoff@bofh.org.uk
Charlottesville, VA, USA              |  jeff.uphoff@linux.org
    PGP key available at: http://www.cv.nrao.edu/~juphoff/

Next message: allwyn : "RE: netscape"
Previous message: Michel Lavondes: "Re: Sniffer Detection"
Next in thread: Matt Willis: "Re: Vulnerability of NCSA cgi-bin applications"