hi Today i downloaded CGI-scanner and scanned my PC(SuseLinux 6.0).The scanner founds only one bug: Searching for test-cgi : Found!! Can somebody tell me how does this bug work and what would a cracker do to gain access. And how can i fix this bug? Th@nx Christian
On Sun, 11 Jul 1999, belial wrote:
hi Today i downloaded CGI-scanner and scanned my PC(SuseLinux 6.0).The scanner founds only one bug: Searching for test-cgi : Found!! Can somebody tell me how does this bug work and what would a cracker do to gain access. And how can i fix this bug?
Th@nx
Christian
fixing it is easy either chmod 0 /usr/local/httpd/cgi-bin/test-cgi or rm /usr/local/httpd/cgi-bin/test-cgi the script contains a line that reads echo argc is $#. argv is "$*". so you could probably send a nasty url to it like http://your.domain.tld/cgi-bin/test-cgi?;cat%20/etc/shadow%0a wid.
hi! we have some suse and redhat boxes around here and i just tested our redhat machines for this exploit:
so you could probably send a nasty url to it like http://your.domain.tld/cgi-bin/test-cgi?;cat%20/etc/shadow%0a
but nothing happend. after checking the httpd.conf i saw that the httpd runs as user nobody on the redhat box. since i do not have access to the suse machines i cannot check if it runs there as nobody too so is it possible that on the suse boxes the httpd runs as non'nobody' which makes him able to read the /etc/shadow? cu stefan
On Thu, 29 Jul 1999, Stefan Völkel wrote:
http://your.domain.tld/cgi-bin/test-cgi?;cat%20/etc/shadow%0a
but nothing happend. after checking the httpd.conf i saw that the httpd runs as user nobody on the redhat box. since i do not have access to the suse machines i cannot check if it runs there as nobody too so is it possible that on the suse boxes the httpd runs as non'nobody' which makes him able to read the /etc/shadow?
Hello Stefan, normally only root can read /etc/shadow, but in almost all standard configurations of http servers the user nobody is used (or something equivalent as "wwwrun" in the SuSE-apache config.) So there is little chance, that the above example will work. But with a buggy test-cgi, a one, where you can find a line as 'echo $*' -an UNquoted $*- someone could execute arbitrary commands as the user running httpd, so normally NOT root, but nevertheless, it's not very recommended to leave such a hole! So simply make sure, that the environment variables are quoted in test-cgi, or disable it completely! Bye, Peter
On Thu, 29 Jul 1999, Stefan Vvlkel wrote:
suse machines i cannot check if it runs there as nobody too so is it possible that on the suse boxes the httpd runs as non'nobody' which makes him able to read the /etc/shadow?
I'm running SuSE 5.2, with, mostly the default settings, and my httpd runs as 'nobody', and 'nobody' cannot read /etc/shadow, if that makes sense. cog -- ,------------------------------, ================| S H U N A N T I O N L I N E |================ ================'------------------------------'================ == David M. Webster ++ aka cogNiTioN ++ cognition@bigfoot.com == ================================================================ == My New Domain <cognite.net> should be up and running soon. == ================================================================ == I use Linux every day to up my productivity - so up yours! == ================================================================
MOIn, test-cgi is a realy a test CGI .... BUT in earlier versions is a BUG wich opend a securityhole: So client initalised ENV-variables were NOT quoted - such as $QUERY_STRING,$HTTP_ACCEPT,... ! so it was easiely to append shell-commands to the ENV-vars. The result then was: ..:% echo <regular query_string>; <appended sh-command> THE NEWer versions are fixed ! Regards - Richard -- ..."AS IS" WITHOUT WARRANTY OF ANY KIND ... PGP-public-key: http://www.wlp.de/pgp_public_keys/rl-pgp-public-key.txt Kontakt: http://www.wlp.de/kontakt ---------------------------------------------------------------------------
On Sun, 11 Jul 1999, belial wrote:
Searching for test-cgi : Found!! Can somebody tell me how does this bug work and what would a cracker do to gain access. And how can i fix this bug?
Hi, it's not a bug, it's a FEATURE ! ;-) The apache paket comes with the script "/usr/local/httpd/cgi-bin/test-cgi" which shows some information about your system. You can test it yourself using the URL: http://localhost/cgi-bin/test-cgi The output will show the values of some env-variables. To disable this, you can delete this file, or make simply a chmod 600 /usr/local/httpd/cgi-bin/test-cgi Ciao, Peter P.S.: There could also be the files printenv and test.pl with similar behaviour.
belial wrote:
hi Today i downloaded CGI-scanner and scanned my PC(SuseLinux 6.0).The scanner founds only one bug: Searching for test-cgi : Found!! Can somebody tell me how does this bug work and what would a cracker do to gain access.
IHMO test-cgi reports a few infos which may be interesting for a hacker.
And how can i fix this bug?
Delete it! -- Dirk Hebenstreit Tel : +49-0177-2461522 HEBI D. Hebenstreit Buero-Informationstechnik +49-033200-85997 Eschenweg 3 FAX : +49-033200-85999 14558 Bergholz-Rehbruecke e-Mail : dhebenstreit@rios.de
I know nothing about CGI-scanner, but the fact 1) there is a script called test, active in the cgi-bin is a security treat, 2) it prints out var listings of the system, their is no reason you should willingfully give any infomartion about your system to possiable crackers. belial wrote:
hi Today i downloaded CGI-scanner and scanned my PC(SuseLinux 6.0).The scanner founds only one bug: Searching for test-cgi : Found!! Can somebody tell me how does this bug work and what would a cracker do to gain access. And how can i fix this bug?
Th@nx
Christian
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hello!
I know nothing about CGI-scanner, but the fact 1) there is a script called test, active in the cgi-bin is a security treat, 2) it prints out var listings of the system, their is no reason you should willingfully give any infomartion about your system to possiable crackers. A CGI-Scanner can be found at www.rootshell.com under "Exploits" and "Jun 99".
It's a good thing to test your own server. But of course this script doesn't know _all_ CGIs with security bugs, so it only can give you more security, but not a perfect one. Jan -- +-------------------+--------------------------------------------------------+ | Jan Theofel | rst Unternehmensberatungs- und Handelsgesellschaft mbH | | Webadministrator | Bahnhofstrasse 35, 71272 Renningen | | | Tel.: 07159/800-450 Fax: 07159/800-451 | +-------------------+--------------------------------------------------------+
* belial <belial@foni.net> writes:
Searching for test-cgi : Found!! Can somebody tell me how does this bug work and what would a cracker do to gain access.
You might find information on that at Bugtraq's archive <http://www.securityfocus.com/>
And how can i fix this bug?
If you don't need this file ("test-cgi") delete it, move it so some safe place, or change the access rights (chmod). You'll find the location of the file using "locate test-cgi". -- Mark Lutz Accept German and English
participants (10)
-
belial -
cogNiTioN -
Dirk Hebenstreit -
Jack Barnett -
Jan Theofel -
Mark Lutz -
Niall Cosgrove -
Peter Münster -
Richard Leopold -
Stefan V�lkel