Description

Brief summary: CGI phf program allows remote command execution through shell metacharacters.

Detailed description: The phf program, which is installed by default with several implementations of httpd servers, contains a weakness that can allow intruders to execute arbitrary commands on the server. The most common attack involves an attempt to retrieve the httpd server's /etc/passwd file. ~~~~~~ A security vulnerability has been reported in example CGI code, as provided with the NCSA httpd 1.5a-export and APACHE httpd 1.0.3 (and possibly previous distributions of both servers). The example code contains a library function escape_shell_cmd() (in cgi-src/util.c). This function, which attempts to prevent exploitation of shell-based library calls, such as system() and popen(), contains a vulnerability. Any program which relies on escape_shell_cmd() to prevent exploitation of shell-based library calls may be vulnerable to attack. In particular, this includes the "phf" program which is also distributed with the example code. Some sites may have installed phf by default, even though it is not required to run httpd successfully. Any vulnerable program which is installed as a CGI application may allow unauthorised activity on the HTTP server. A remote user may retrieve any world readable files, execute arbitrary commands and create files on the server with the privileges of the httpd process which answers HTTP requests. This may be used to compromise the http server and under certain configurations gain privileged access. The routine "escape_shell_cmd()" also occurs in the file "src/util.c". Note that the files "cgi- src/util.c" and "src/util.c" are not identical, however they both contain an identical copy of the routine "escape_shell_cmd()", which has the vulnerability. The file "src/util.c" is used to build the HTTP daemon, therefore the "newline" hole exists within the server. ~~~~~~

Components: Please note that this vulnerability is not in httpd itself, but in CGI programs which rely on the supplied escape_shell_cmd() function. Any HTTP server (not limited to NCSA or Apache) which has installed CGI programs which rely on escape_shell_cmd() may be vulnerable to attack.

Operating system(s): Apache Group Apache 1.0.3 NCSA NSCA httpd 1.5a-export

How to detect:

1. 1. Sites which have the source code to their CGI applications available can determine whether their applications may be vulnerable by examining the source for usage of the escape_shell_cmd() function which is defined in cgi-src/util.c. Note that the files "cgi-src/util.c" and "src/util.c" are not identical, however they both contain an identical copy of the routine "escape_shell_cmd()", which has the vulnerability. The file "src/util.c" is used to build the HTTP daemon, therefore the "newline" hole exists within the server.
   2. Sites which do not have the source code for their CGI applications should contact the distributors of the applications for more information.

How to fix:

1. 1. Any CGI program which uses the escape_shell_cmd() function and is not required should be disabled. This may be accomplished by removing execute permissions from the program or removing the program itself. In particular, sites which have installed the "phf" program and do not require it should disable it. The "phf" program is not required to run httpd successfully. Sites requiring "phf" functionality should apply one of the workarounds given in sections 3.2 and 3.3.
2. 1. The intent of the escape_shell_cmd() function is to prevent passing shell meta-characters to susceptible library calls. A more secure approach is to avoid the use of these library calls entirely. AUSCERT recommends that sites which are currently using CGI programs which use shell- based library calls (such as system() and popen()) consider rewriting these programs to remove direct calls to easily compromised library functions.
3. 1. For sites that still wish to use programs using the escape_shell_cmd() function, a patched version of cgi-src/util.c has been made available by NCSA which addresses this particular vulnerability. (As of CERT* Advisory CA-96.06 http://www.cert.org/advisories/CA96.06.cgi_example_code.html Original issue date: March 20, 1996, Last revised: September 24,1997): The patched version of util.c is available as part of the http1.5.1b3-export distribution. This is available from: http://hoohoo.ncsa.uiuc.edu/beta-1.5 Please note that this is a beta-release of the NCSA httpd and is not a stable version of the httpd. The patched version of cgi-src/util.c may be used independently. CGI programs which are required and use the escape_shell_cmd() should be recompiled with the new version of cgi-src/util.c and then reinstalled. Apache have reported that they intend to fix this vulnerability in a future release. Until then the patched version of util.c as supplied in the http1.5.1b3-export release should be compatible.
4. 1. The patch recommended by NCSA modifies the routine "escape_shell_cmd()" to expand the list of characters that it will escape. In the routine "escape_shell_cmd()", the line:

      if(ind("&;`'\"|*?~
      ^()[]{}$\\",cmd[x]) != -1){
      
      Must be changed to: 
      if(ind("&;`'\"|*?~
      ^()[]{}$\\\n",cmd[x]) != -1){
5. 1. Instead of patching the source, the most up-to-date version of NCSA HTTPd source may be downloaded from: ftp://ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/current/httpd_1.5.1-export_source.tar.Z MD5 (httpd_1.5.1-export_source.tar.Z) = bcf1fd410b5839c51dc75816a155fbb8

Other information:

Keywords

Cataloguing Information

PA Classification:

RISOS Classification:

Davis Classification:

Exploits

Attacks: from Paul Danckaert pauld@lemur.org

----------------------------------------------------------------------

#!/usr/bin/perl
#
# Pseudo-Phf  -  A not-quite-real phf replacement that provides a warning
#                       against attacks, as well as presenting false
#                       information to the attacker.
#
# Paul Danckaert (pauld@lemur.org)
#

$email    = "security@lemur.org";
$sendmail = "/usr/lib/sendmail";

###

print "Content-type: text/html\n\n";

if ($ENV{"QUERY_STRING"} eq "") {
        do ShowForm();
        $action = "Looked At Form";
} else {
        if ($ENV{"QUERY_STRING"} =~ /(\/|%2f)passwd/i) {
                do ShowBadPass();
                $action = "Attempted Password Grab";
        } else {
                $action = "Submitted Form";
        }
}
$notice = "[/CGI-BIN/PHF] $action";

open(MAIL,"| $sendmail $email");
print MAIL "From: PHF Watcher <$email>\n";
print MAIL "To: $email\n";
print MAIL "Subject: $notice\n\n";
print MAIL "[AutoMessage from PHF]\n\n";
print MAIL "ENV List\n------------------------------------------\n";
foreach $var (keys %ENV) {
        $ENV{$var} =~ s/\n//g;
        print MAIL "$var \t $ENV{$var}\n";
}
print MAIL ".\n\n";
close (MAIL);

#
# Print Error Message to the users request.
#
print <<"EOF";
Query Results
/usr/local/bin/ph - Command not found

EOF

exit 0;


sub ShowForm {

print <<"EOF";
Form for CSO PH query
Form for CSO PH query
This form will send a PH query to the specified ph server.
PH Server:At least one of these fields must be specified:

Alias

Name

E-mail Address

Nickname

Office Phone 
Number

HAM Callsign

Proxy

High School

SLIP Address

Show additional fields to narrow query
Return more than default fields

Questions, comments to: Jim Browne
EOF

}


sub ShowBadPass {

print <<"EOF";
root:9IDv/CqdFuqWo:0:0:Super User:/:/bin/csh
sysadm:*:0:0:System V Administration:/usr/admin:/bin/sh
diag:*:0:996:Hardware Diagnostics:/usr/diags:/bin/csh
daemon:*:1:1:daemons:/:/dev/null
bin:*:2:2:System Tools Owner:/bin:/dev/null
uucp:*:3:5:UUCP Owner:/usr/lib/uucp:/bin/csh
fax:*:3:10:Fax:/var/spool/fax:/bin/sh
sys:*:4:0:System Activity Owner:/var/adm:/bin/sh
adm:*:5:3:Accounting Files Owner:/var/adm:/bin/sh
lp::9:9:Print Spooler Owner:/var/spool/lp:/bin/sh
nuucp::10:10:Remote UUCP User:/var/spool/uucppublic:/usr/lib/uucp/uucico
auditor:*:11:0:Audit Activity Owner:/auditor:/bin/sh
dbadmin:*:12:0:Security Database Owner:/dbadmin:/bin/sh
rfindd:*:66:1:Rfind Daemon and Fsdump:/var/rfindd:/bin/sh
EZsetup:*:992:998:System Setup:/usr/Cadmin:/bin/csh
demos::993:997:Demonstration User:/usr/demos:/bin/csh
tutor::994:997:Tutorial User:/usr/tutor:/bin/csh
OutOfBox::995:997:Out of Box Experience:/usr/people/tour:/bin/csh
guest::998:998:Guest Account:/usr/adm/guest:/bin/csh
4Dgifts::999:998:4Dgifts Account:/usr/people/4Dgifts:/bin/csh
nobody:*:60001:60001:Nobody:/dev/null:/dev/null
noaccess:*:60002:60002:uid no access:/dev/null:/dev/null
nobody:*:-2:-2:original nobody uid:/dev/null:/dev/null
www:*:20:10:The Web Slinger:/web/www:/bin/csh
webadmin:ecKu77KmsNALs:0:0:Sysadmin web account:/:/bin/sh
testact::1000:10:Test Account:/:/bin/sh
ftp:*:60001:60001:FTP ACCOUNT:/ftp:/dev/null
EOF

}

Related Information

Advisories: http://www.cert.org/summaries/CS-96.06.html http://www.cert.org/advisories/CA-96.06.cgi_example_code.html ERS-SVA-E01-1996:002.2: NCSA HTTPD and Apache HTTPD Common Gateway Interface vulnerability (IBM) ERS-SVA-E01-1996:002.1: CGI program can be tricked into executing any arbitrary command (IBM) CA-96.06: Vulnerability in NCSA/Apache CGI example code (CERT)

Related DOVES entries:

History

Who reported it: This bug was first made public by the IBM ERS Team. However, the bug was reported to them by Jennifer Myers early in 1996. Previous to that the exploit had been in wide distribution circles among hackers. Paul Danckaert, SecurityFocus message id Pine.SGI.3.95.960923104108.28911A- 100000@lemur.acs.umbc.edu in on from http://www.cert.org/advisories/CA-96.06.cgi_example_code.html The text of this advisory was originally released on March 14, 1996, as AUSCERT Advisory AA-96.01, developed by the Australian Computer Emergency Response Team. The actual release date of the IBM ERS Advisory (ERS-SVA-E01-1996:002.2) was 16 April 1996. Paul Danckaert's post: Mon Sep 23 1996 10:43:01

Dove images © 1999-2000 www.barrysclipart.com