SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Post-query CGI Vendors:   NCSA
NCSA Post-query CGI Code Allows Remote Code Execution
SecurityTracker Alert ID:  1001106
SecurityTracker URL:  http://securitytracker.com/id/1001106
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Mar 16 2001
Original Entry Date:  Mar 16 2001
Impact:   Execution of arbitrary code via network, User access via network


Description:   The post-query CGI code originally written by NCSA reportedly contains a vulnerability that allows remote users to specify arbitrary code that will be executed by the server with the privileges of the cgi script.

The post-query.c code contains a buffer overflow condition that is apparently easily exploitable, as the code supplies the pointer to the exploit code itself (the pointer does not need to be second-guessed).

By feeding 10,000 bogus entries, and then sending specially crafted buffer contents for the next entry, memory will be allocated and with the exploit code written into it. Some restrictions apply, as discussed in the original message (below).

Impact:   A remote user can cause arbitrary code to be executed on the server.
Solution:   It is recommended that users remove this application. It was only intended as demonstration code, not for production use.
Vendor URL:  ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/cgi/cgi-src (Links to External Site)
Cause:   Boundary error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Re: NCSA Post-query CGI Code Allows Remote Code Execution
The author of the original message provides some demonstration exploit code



 Source Message Contents

Subject:  Remote buffer overflow condition in post-query (CGI).


The overflow condition is *very* easily exploitable, since the
code actually supplies the pointer to the exploit code itself,
odd as it maye seem. The pointer thusly does not need to be
second-guessed at all, making life much easier for crackers.

Code excerpts;

...

#define MAX_ENTRIES 10000

typedef struct {
    char *name;
    char *val;
} entry;

...

main(int argc, char *argv[]) {
    entry entries[MAX_ENTRIES];

...

    for(x=0;cl && (!feof(stdin));x++) {
        m=x;
        entries[x].val = fmakeword(stdin,'&',&cl);
        plustospace(entries[x].val);
        unescape_url(entries[x].val);
        entries[x].name = makeword(entries[x].val,'=');
    }

...

Fellow C programmers would surely see the problem right away.

By feeding 10,000 bogus entries, and then sending a specially
prepared buffer for the 10,001'th, you get a situation where
memory is allocated, the exploit code is written into it and
the pointer is then put into the 10,001'st position of the
entries struct. This happens to be the position of the return
pointer. When the program ends, it does not call `exit' as
I would say most network applications should, instead it
returns to __start, or in a case where the return pointer
has been overwritten, it returns to the user-supplied code.

The only problem with this exploit is that `fmakeword' allocates
102400 bytes for each buffer. Before you think that the problem
then becomes entirely theoretical, consider that most modern
kernels does not give the programs actual physical memory until
the memory is written to. A fair estimate would be that to be
vulnerable the server would need around 40-50MB of physical
and/or virtual memory, but I cant say for certain.

To sum it up, this exploit is real, you may be vulnerable if you
have the post-query CGI on your webservers (and it is *very* common).

You may be lucky enough to have an OS that prohibits the application
from successfully allocating the needed memory.

Better safe than sorry; Remove the program if you have it!
Noone should really need this type of application since it is a
sample program designed to demonstrate how CGI works.

I will post a working exploit to the bugtraq list in a while.

/proton
[ http://www.energymech.net/users/proton/ ]


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC