How do we filter this HTTP_REFERER ?
---------- Forwarded Message ----------
Return-path:
Received: from outgoing.securityfocus.com [66.38.151.6] by osbtown.com
[208.1.39.12]
with SMTP (MDaemon.v3.5.7.R)
for ; Thu, 02 Aug 2001 02:07:44 -0700
Received: from lists.securityfocus.com (lists.securityfocus.com
[66.38.151.19])
by outgoing.securityfocus.com (Postfix) with QMQP
id 91D31259B0B; Wed, 1 Aug 2001 23:20:43 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id:
List-Post: mailto:bugtraq@securityfocus.com
List-Help: mailto:bugtraq-help@securityfocus.com
List-Unsubscribe: mailto:bugtraq-unsubscribe@securityfocus.com
List-Subscribe: mailto:bugtraq-subscribe@securityfocus.com
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 3141 invoked from network); 1 Aug 2001 23:16:53 -0000
Date: Thu, 2 Aug 2001 01:09:42 +0200 (CEST)
From: Maurycy Prodeus
X-Sender: z33d@cubx.elando.pl
To: bugtraq@securityfocus.com
Subject: suse: sdbsearch.cgi vulnerability
Message-ID:
MIME-Version: 1.0
Content-Type: TEXT/PLAIN;
charset=US-ASCII
X-MDRcpt-To: phil@osbtown.com
X-MDRemoteIP: 66.38.151.6
X-Return-Path: bugtraq-return-1479-phil=osbtown.com@securityfocus.com
X-MDaemon-Deliver-To: phil@osbtown.com
Reply-To: bugtraq-return-1479-phil=osbtown.com@securityfocus.com
Status: R
X-Status: N
Hello,
I found weakness in sdbsearch.cgi script which is a part of Suse distribution.
This is perl script and since Suse 7.1 they have introduced some form of
protection (interpreter is called with tainting checking). However, I think
it isn't enough and this bug still may produce danger.
Sdbsearch.cgi trusts content of HTTP_REFERER variable which is set by client
side during http's requests. Piece of this data is used to locating file with
keywords and referenced files. If there is possiblity to put such file
on attacked host (i.e. upload through ftpd) with special content, sdbsearch
will use open() to get access to match files. So we can make standard open()
pipe based attack (only without -T option). Name of uploaded file has to
be "keylist.txt" because we manipulate only on pathname, using double dots.
Proof of concept is very simple, just create harmful keylist.txt for instance
in /tmp directory and send request to http server like this:
GET /cgi-bin/sdbsearch.cgi?stichwort=keyword HTTP/1.0
Referer: http://szachy.org/../../../../../tmp
(very deep traversal because we don't know what is DOCUMENT_ROOT)
and an example content of our /tmp/keylist.txt create like this:
$ echo -e "keyword\0touch exploitable|" > /tmp/keylist.txt
After successful attempt there will be "exploitable" file in /tmp directory.
Affected system:
Suse 6.x 7.x (7.1 and 7.2 have tainting protection, but even then
we can pass sdbsearch files which shouldn't be read)
Patch:
Just filter HTTP_REFERER variable.
- z33d
--
je Art_of_self_destruct
pushl %eax
pushl %eax
pushl %ebx
pushl %ebx
popl %ecx ----== http://z33d.eth-security.net ==----
pushl %eax
pushl %eax
pushl %ebx
pushl %ebx
Art_of_self_destruct:
hlt
Hello,
I found weakness in sdbsearch.cgi script which is a part of Suse
distribution. This is perl script and since Suse 7.1 they have introduced
some form of protection (interpreter is called with tainting checking).
However, I think it isn't enough and this bug still may produce danger.
Sdbsearch.cgi trusts content of HTTP_REFERER variable which is set by client
side during http's requests. Piece of this data is used to locating file with
keywords and referenced files. If there is possiblity to put such file
on attacked host (i.e. upload through ftpd) with special content, sdbsearch
will use open() to get access to match files. So we can make standard open()
pipe based attack (only without -T option). Name of uploaded file has to
be "keylist.txt" because we manipulate only on pathname, using double dots.
Proof of concept is very simple, just create harmful keylist.txt for instance
in /tmp directory and send request to http server like this:
GET /cgi-bin/sdbsearch.cgi?stichwort=keyword HTTP/1.0
Referer: http://szachy.org/../../../../../tmp
(very deep traversal because we don't know what is DOCUMENT_ROOT)
and an example content of our /tmp/keylist.txt create like this:
$ echo -e "keyword\0touch exploitable|" > /tmp/keylist.txt
After successful attempt there will be "exploitable" file in /tmp directory.
Affected system:
Suse 6.x 7.x (7.1 and 7.2 have tainting protection, but even then
we can pass sdbsearch files which shouldn't be read)
Patch:
Just filter HTTP_REFERER variable.
- z33d
--
je Art_of_self_destruct
pushl %eax
pushl %eax
pushl %ebx
pushl %ebx
popl %ecx ----== http://z33d.eth-security.net ==----
pushl %eax
pushl %eax
pushl %ebx
pushl %ebx
Art_of_self_destruct:
hlt
-------------------------------------------------------