httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject IBM-ERS Advisory about HTTPD (fwd)
Date Sun, 25 Feb 1996 02:59:32 GMT

I think this is self-explanatory.  We need someone to step in and just 
completely revamp what's distributed with cgi-src and cgi-bin.  I gave a 
verbal committment to have this fixed in 1.1.  

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  brian@hyperreal.com  http://www.[hyperreal,organic].com/

---------- Forwarded message ----------
Date: Fri, 23 Feb 1996 17:04:11 EST
From: David A. Curry <davy@vnet.ibm.com>
To: brian@organic.com
Subject: IBM-ERS Advisory about HTTPD


Enclosed is the final draft of our advisory about the vulnerability in
cgi-src/util.c.  Please do not redsitribute this advisory, except among
members of your development group.

The advisory will be sent out Monday morning, February 26th.

--Dave

David A. Curry				IBM Internet Emergency Response Service
Senior Internet Security Analyst	Long Meadow Road, M/S 223
Information Warfare Center		Sterling Forest, NY 10979 U.S.A.
davy@vnet.ibm.com			+1 914 759-4452

--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--
---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---

                  =======  ============    ======       ======
                  =======  ==============  =======     =======
                    ===      ===     ====    ======   ======
                    ===      ===========     ======= =======
                    ===      ===========     === ======= ===
                    ===      ===     ====    ===  =====  ===
                  =======  ==============  =====   ===   =====
                  =======  ============    =====    =    =====

                           EMERGENCY RESPONSE SERVICE
			  SECURITY VULNERABILITY ALERT

26 February 1996 13:00 GMT                       Number: ERS-SVA-E01-1996:002.1
===============================================================================
                             VULNERABILITY  SUMMARY

VULNERABILITY:	Some C-language based Common Gateway Interface programs that
		call a shell to execute other programs can be tricked into
		executing any arbitrary command.

PLATFORMS:	Any CGI program built using the sample code distributed with
		NCSA HTTPD Version 1.5A-Export and earlier or Apache HTTPD
		Version 1.0.3 and earlier that accepts input from the user
		and passes that input as arguments to a shell command.

SOLUTION:	If using the sample code, apply the patch described below.
		If using other code, check for the vulnerability as
		described in the following text.

THREAT:		Many World Wide Web sites have been built using the programs
		in question.  Therefore, the potential security exposure may
		be widespread.

===============================================================================
                                      NOTE

The vulnerability described in this alert is contained in ancillary, example
software distributed with NCSA HTTPD and Apache HTTPD.

            THIS IS NOT AN HTTPD SERVER PROGRAM VULNERABILITY.

Commercial HTTPD server products developed and sold by IBM do not include
this sample code on their distribution media.  Commercial HTTPD server
products developed by Netscape Communications Corporation and sold by
Netscape and IBM do not include this sample code on their distribution media.

If you have purchased one of these products and have not installed any
programs other than those on the distribution media, you are not vulnerable
to this problem.  Note, however, that if you previously had NCSA HTTPD or
Apache HTTPD installed, you may have remnants of the installation left over
which may be vulnerable.

If you have purchased another commercial HTTPD server product, you may wish
to contact your vendor to see if any action is necessary.

===============================================================================
                              DETAILED INFORMATION

I. Description

  A. Background Information

     The Common Gateway Interface (CGI) specifies a protocol by which a World
     Wide Web server can interface with external programs run on the server
     host.  These external programs perform tasks on behalf of the user such
     as sending mail, accessing databases, and so forth.  Many of these
     programs accept input from the user via an interactive form containing
     dialog boxes, menus, buttons, etc.  Upon completion of the task, the
     programs may return the results of the operation to the user, usually in
     the form of a Hypertext Markup Language (HTML) document.  Programs which
     implement the Common Gateway Interface are usually called "CGI scripts,"
     although they are also referred to as "CGI-BIN programs," after the name
     of the directory in which they are commonly stored on UNIX systems.

     CGI programs, because they often accept input from the user and then
     pass that input to other programs as command-line arguments, must be
     written with great care.  Because the languages used to implement these
     programs (Perl, Bourne shell, Korn shell, C shell, etc.) attribute
     special meaning to a large variety of characters ('>', ';', '&', '$',
     etc.), the program must check its input and remove these characters
     before passing them on to other commands.  If this is not done, or is
     done incorrectly, an attacker can provide "bogus" input to these
     programs that causes them to behave in unexpected ways, often resulting
     in allowing the attacker to gain unauthorized access to the server
     host, or to execute unauthorized commands on the host.

     Because these problems are so difficult to avoid when using these
     powerful scripting languages, many experts now recommend that CGI
     programs be written in the C programming language instead.  Because C
     does not attempt to evaluate character strings, a program written in C
     is less vulnerable to this type of attack.  However, if a CGI program
     written in C uses the input it receives to execute another command
     using the system() or popen() library functions, the benefits of using
     C are negated, and the program must once again carefully check its
     inputs before passing them as command line arguments to other programs.

  B. Vulnerability Details

     NCSA HTTPD and Apache HTTPD, two of the most popular freely-available
     World Wide Web server implementations, come with several CGI programs
     that are compiled by the default build procedure.  These programs,
     because they are meant to serve as examples, are frequently installed
     at a site even if they are not being used.  Furthermore, because the
     source code for these programs is meant to be an example of how to
     implement CGI programs, it is frequently copied into other CGI programs
     programs as well.

     One of the utility functions offered by the CGI example source code is
     called escape_shell_cmd().  It is intended to help programmers avoid the
     vulnerability described above.  This function, when given an input
     string received from the user, scans the string for characters that have
     special meaning to the UNIX shell, and inserts escapes in front of these
     characters to remove their special meaning.  However, the list of
     special characters used by escape_shell_cmd():

         &;`'"|*?~<>^()[]{}$\

     is incomplete: it is missing the newline ('\n', octal 012, hex 0x10)
     character.

     The CGI example source code also includes a program called "phf," which
     implements a form-based interface to a local CCSO Name Server.  (The
     CCSO Name Server is a whitepages service used for looking up name and
     address information about people.)  The "phf" demonstration program
     uses the escape_shell_cmd() function to check its inputs, and is thus
     vulnerable to attack as described above.

     Any World Wide Web server host that has been configured to allow access
     to and execution of Common Gateway Interface programs and

       1. Has installed the "phf" program from the NCSA HTTPD distribution or
	  the Apache HTTPD distribution in a CGI-BIN directory (even if the
	  program is not being used)

       and/or

       2. Has installed programs obtained from the Internet or elsewhere that
	  are using the escape_shell_cmd() function contained in the sample
	  CGI-BIN source code distributed with NCSA HTTPD or Apache HTTPD

       and/or

       3. Has installed programs developed internally using the
	  escape_shell_cmd() function contained in the sample CGI-BIN source
	  code distributed with NCSA HTTPD or Apache HTTPD

       and/or

       4. Has installed CGI programs that do not adequately check their
	  inputs for the special characters listed above (including newline)
	  before passing these inputs to a shell command

     is vulnerable to attack in this manner.

II. Impact

An attacker who knows how to exercise this vulnerability may have the
ability to:

  1. Execute arbitrary commands on the server host using the same user-id as
     the user running the "httpd" server.  If "httpd" is being run as
     "root," the attacker's commands are also run as "root."

  2. Access any file on the system that is accessible to the user-id that is
     running the "httpd" server.  If the "httpd" server user-id has read
     access to the file, the attacker can also read the file.  If the
     "httpd" server user-id has write access to the file, the attacker can
     change or destroy the contents of the file.  If the "httpd" server is
     being run as "root," the attacker can read, modify, or destroy any file
     on the server host.

  3. Given an X11-based terminal emulator ("xterm" or equivalent) installed
     on the "httpd" server host, gain full interactive access to the server
     host just as if he were logging in locally.

III. Solutions

  A. Suggested actions

     The IBM Emergency Response Service (IBM-ERS) team recommends that you
     take the following actions (subject to any licensing restrictions that
     may apply to your copies of the programs):

       1. If you have installed the "phf" program from the NCSA or Apache
	  HTTPD binary or source distributions and are not using it, remove
	  it.

       2. If you have installed the "phf" program from the NCSA or Apache
	  HTTPD source distributions and are using it, apply one of the
	  patches below, rebuild the "phf" program, and install the new
	  version.
       
       3. If you have installed the "phf" program from the NCSA or Apache
	  HTTPD binary distributions and are using it, obtain the NCSA or
	  Apache source distributions:

          NCSA:
            ftp://ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/httpd_1.5/httpd_1.5a-export_source.tar.Z

          Apache:
	    ftp://ftp.apache.org/apache/dist/apache_1.0.3.tar.gz

          Then apply one of the patches below, rebuild the "phf" program, and
	  install the new version.

       4. If you have installed other C-language CGI programs obtained from
	  the Internet or elsewhere and have the source code for these
	  programs, examine them closely and make sure that they are
	  properly checking their inputs before passing them to a shell.

	  If these programs are using the escape_shell_cmd() function from
	  the NCSA or Apache distributions, the patches below can be adapted
	  to these programs.

          Once you have identified any problem areas and developed fixes for
	  them, rebuild the programs and install the new versions.

       5. If you have developed your own C-language CGI programs using the
	  sample code contained in the NCSA or Apache distributions, adapt
	  the patches below to your code, rebuild these programs, and
	  install the new versions.

       6. If you have purchased CGI programs from third-party vendors,
	  contact your vendor to determine whether or not these programs
	  contain this vulnerability.

       7. If you are running your "httpd" server as "root," consider running
	  it as an unprivileged user instead.

  B. Patch for escape_shell_cmd()

     The escape_shell_cmd() function is contained in the "util.c" file in the
     "cgi-src" directory of the NCSA HTTPD and Apache HTTPD source
     distributions.

     The patch below can be applied to the NCSA version of "util.c" to fix
     this vulnerability:

---------------------------------- cut here ----------------------------------
*** httpd_1.5a-export/cgi-src/util.c.old	Tue Nov 14 11:38:40 1995
--- httpd_1.5a-export/cgi-src/util.c	Thu Feb 22 20:37:07 1996
***************
*** 139,145 ****
  
      l=strlen(cmd);
      for(x=0;cmd[x];x++) {
!         if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){
              for(y=l+1;y>x;y--)
                  cmd[y] = cmd[y-1];
              l++; /* length has been increased */
--- 139,145 ----
  
      l=strlen(cmd);
      for(x=0;cmd[x];x++) {
!         if(ind("&;`'\"|*?~<>^()[]{}$\\\n",cmd[x]) != -1){
              for(y=l+1;y>x;y--)
                  cmd[y] = cmd[y-1];
              l++; /* length has been increased */
---------------------------------- cut here ----------------------------------

     The patch below can be applied to the Apache version of "util.c" to fix
     this vulnerability:

---------------------------------- cut here ----------------------------------
*** apache_1.0.3/cgi-src/util.c.old	Sat Feb 17 03:32:14 1996
--- apache_1.0.3/cgi-src/util.c	Fri Feb 23 10:48:43 1996
***************
*** 135,141 ****
  
      l=strlen(cmd);
      for(x=0;cmd[x];x++) {
!         if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){
              for(y=l+1;y>x;y--)
                  cmd[y] = cmd[y-1];
              l++; /* length has been increased */
--- 135,141 ----
  
      l=strlen(cmd);
      for(x=0;cmd[x];x++) {
!         if(ind("&;`'\"|*?~<>^()[]{}$\\\n",cmd[x]) != -1){
              for(y=l+1;y>x;y--)
                  cmd[y] = cmd[y-1];
              l++; /* length has been increased */
---------------------------------- cut here ----------------------------------

     To apply the patch, save the text between the two "-- cut here --" lines
     in a file, change directories to your source tree (the directory that
     contains "httpd_1.5a-export" or "apache_1.0.3" as a subdirectory) and
     issue the command:

         patch < filename

     If you do not have the "patch" program, you can obtain it from

         ftp://prep.ai.mit.edu/pub/gnu/patch-2.1.tar.gz

     or you can apply the patch by hand.

     This fix is provided "as-is" and no support obligation on the part of
     IBM is implied.

  C. Pending fix from NCSA

     NCSA states that they have fixed this problem in HTTPD Version 1.5.1,
     which is currently in the beta-testing stage.  You can obtain NCSA
     HTTPD 1.5.1 Beta 3 from

         http://hoohoo.ncsa.uiuc.edu/beta-1.5/

     if you wish to experiment with it.  However, NCSA warns that this is
     NOT a stable version of the server.

  D. Pending fix from Apache

     The Apache Project is aware of this problem, and states that they plan
     to provide a fix for it in Apache HTTPD Version 1.1, which is scheduled
     for release in early March.  For more information about the pending
     release of Apache HTTPD Version 1.1, see the Apache Project home page at

         http://www.apache.org/

  E. A second potential vulnerability

     When examining your CGI programs that make use of the escape_shell_cmd()
     function, note that escape_shell_cmd() does not perform any check on the
     length of the buffer it is passed.  Because each character in the buffer
     has the potential to be escaped with a backslash, the resulting string
     can be up to twice as long as the original.

     Any buffer that is passed into this function should be at least (2n+1)
     bytes in size, where n is the length of the unescaped string.

     Programs that do not adhere to this requirement are vulnerable to buffer
     overrun attacks, much like those used successfully by the Internet worm
     against the finger daemon, as well as in several more recent attacks
     against other programs.

  F. Additional information

     If you have enabled the Common Gateway Interface in your server, even if
     you are not yet actively using it, IBM-ERS recommends that you learn as
     much as possible about the security issues involved.  We have provided
     URLs for some good sources of information on this topic below:

     CGI Security
     ------------
         http://hoohoo.ncsa.uiuc.edu/cgi/security.html
         http://www.cerf.net/~paulp/cgi-security/

     WWW Security (Including CGI)
     ----------------------------
	 http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html

    Please note that the URLs referenced in this advisory are not under IBM's
    control and therefore IBM cannot be responsible for their availability or
    content.  If you have any questions regarding any of these sites, please
    contact that site's administrator or webmaster.

IV. Acknowledgements

IBM-ERS would like to thank the IBM Global I/T Security Consulting Group, and
the IBM Global Security Analysis Laboratory at the IBM T. J. Watson Research
Center, for bringing this exposure to our attention, providing the patches
for it, and their assistance in the development of this alert.

===============================================================================

IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment.  By acting as an extension
of your own internal security staff, IBM-ERS's team of Internet security
experts helps you quickly detect and respond to attacks and exposures across
your Internet connection(s).

As a part of IBM's Business Recovery Services organization, the IBM Internet
Emergency Response Service is a component of IBM's SecureWay(tm) line of
security products and services.  From hardware to software to consulting,
SecureWay solutions can give you the assurance and expertise you need to
protect your valuable business resources.  To find out more about the IBM
Internet Emergency Response Service, send an electronic mail message to
ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4).

Copyright 1996 International Business Machines Corporation.

The material in this security alert may be reproduced and distributed,
without permission, in whole or in part, by other security incident response
teams (both commercial and non-commercial), provided the above copyright is
kept intact and due credit is given to IBM-ERS.

This security alert may be reproduced and distributed, without permission,
in its entirety only, by any person provided such reproduction and/or
distribution is performed for non-commercial purposes and with the intent of
increasing the awareness of the Internet community.

---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---
--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--


Mime
View raw message