pServ Discloses CGI Source to Remote Users, Lets Remote Users Execute Arbitrary Code, and Lets Local Users View Potentially Privileged Files
SecurityTracker Alert ID: 1013977|
SecurityTracker URL: http://securitytracker.com/id/1013977
CVE-2005-1365, CVE-2005-1366, CVE-2005-1367
(Links to External Site)
Date: May 17 2005
Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 3.2; possibly prior versions|
Several vulnerabilities were reported in Pico Server (pServ). A remote user can view the source of CGI scripts. A remote user can execute arbitrary code on the target system. A local user can view files with the privileges of the web server.|
The server does not properly protect against directory traversal attacks. If pServ on the target system has been compiled with CGI-BIN support, then a remote user can supply a specially crafted URL to execute arbitrary programs on the target system [CVE: CVE-2005-1365]. The code will run with the privileges of the pServ process.
A demonstration exploit URL to invoke 'wget' to load 'evil.pl' to the target system is provided:
A demonstration exploit URL to subsequently invoke the 'evil.pl' script is provided:
A remote user can supply a specially crafted URL to view the source of CGI scripts in the 'cgi-bin' directory [CVE: CVE-2005-1366]. A demonstration exploit URL to access the source of the 'test.pl' script is provided:
The web server does not differentiate between files and symbolic links [CVE: CVE-2005-1367]. A local user with access to a web server directory can create a symbolic link from a critical file on the system to a file in the web server directory. Then, the user can access the web server to view the file with the privileges of the pServ process.
The vendor was notified on May 2, 2005.
Claus R. F. Overbeck or RedTeam at the Laboratory for Dependable Distributed Systems at RWTH-Aachen University reported these vulnerabilities.
A remote user can view the contents of CGI scripts.|
A remote user can execute arbitrary code on the target system with the privileges of the pServ process.
A local user can view files on the target system with the privileges of the pServ process.
The vendor has issued a fixed version (3.3) for the remote vulnerabilities, available at:|
The vendor does not plan to issue a fix for the local vulnerability.
Vendor URL: sourceforge.net/projects/pserv (Links to External Site)
Access control error, Input validation error|
|Underlying OS: Linux (Any), UNIX (Any)|
Source Message Contents
Subject: Pico Server (pServ) Remote Command Injection|
Advisory: Pico Server (pServ) Remote Command Injection
RedTeam found a remote command injection in Pico Server (pServ) which results
in a remote attacker being able to issue arbitrary commands on the server.
Product: Pico Server (pServ)
Affected Version: 3.2(verified), <=3.2 probably too
Immune Version: 3.3
OS affected: all
Security-Risk: very high
Vendor-Status: new version available
Pico Server is a small web server. It is meant to be portable and
* small, portable
* CGI-BIN support
* auto-indexing of directories
* access and error logging (see p-reporter for an analyzer)
* forking or single-connection at choice
Pico Server (pServ) is written in portable C (K&R style so it can compile on
older compilers too) and sports several options that by means of #define
statements can customize the behavior, the performance and the feature set so
to be able to fit better the the requisites.
If pServ is compiled with support for CGI-BIN a remote attacker is able to
execute any program (with pServ permissions) on the server by traversing out
of the cgi-bin directory.
pServ has CGI-BIN support. Only URLs beginning with "cgi-bin" are treated as
To avoid that a user traverses out of the cgi-bin using traditional /../,
pServ parses the requested url. It increases a counter by one if it parses a
/ (new subdir) and decreases the counter if ist parses /../. If the counter
goes below zero the url is rejected as illegal. Unfortunately an attacker can
avoid beeing rejected, just using enough / in the url (without directory
names between them), so he can traverse out of the cgi-bin by adding some
/../ . This lets the attacker execute any program on the server (with pServ
Proof of Concept
The following url downloads a script (or executable) to the server:
This is how the script can be executed afterwards:
The only workaround is to compile pServ without support for cgi-bin.
The Developers have released Version 3.3. This version should fix the
problem. The changes have not been tested by RedTeam, yet.
The security risk is rated very high because a remote attacker can use this
flaw to execute arbitrary code on the server (with the permissions of pServ).
2005-05-02 first attempt to inform developers
2005-05-02 CAN-number assigned
2005-05-04 second attempt to inform developers
2005-05-16 new version released. Advisory published
RedTeam is a penetration testing group working at the Laboratory for
Dependable Distributed Systems at RWTH-Aachen University. You can find more
Information on the RedTeam Project at