BugTraq
Back to list
|
Post reply
Format strings vuln in CGIwrap
Apr 23 2003 04:05PM
b0f www.b0f.net (b0fnet yahoo com)
A locally and possibly remotely exploitable format
strings bug exists
in cgiwrap available from
http://cgiwrap.sourceforge.net/
http://sourceforge.net/projects/cgiwrap
http://www.freebsd.org/ports/security.html
I. BACKGROUND
This is CGIWrap - a gateway that allows more secure
user access to
CGI programs on an HTTPd server than is provided by the
http server
itself. The primary function of CGIWrap is to make
certain that
any CGI script runs with the permissions of the user
who installed
it, and not those of the server.
CGIWrap works with NCSA httpd, Apache, CERN httpd,
NetSite Commerce
and Communications servers, and probably any other Unix
based web
server software that supports CGI.
II. DESCRIPTION
On line 91 of msgs.c the printf() function is used
incorrectly. Which
results
in a format strings vulnerability.
<snip>
void MSG_Error_General(char *message)
{
MSG_Header("CGIWrap Error", message);
printf(message);
MSG_Footer();
exit(1);
}
</snip>
The binaries in cgiwrap, (cgiwrap and nph-cgiwrap) are
installed setuid
root.
Thus could make this format problem exploitable locally
to gain root
privs or
possably remotely to gain root or the privs of the user
who owns the cgi
script.
III. ANALYSIS
An attacker could exploit this issue to escalate privs
locally or
remotely on
a server running cgiwrap.
IV. DETECTION
This is vulnerable in the latest version of cgiwrap
version 3.7.1 and
properly
older versions(not checked). It would be exploitable on
any Linux/Unix
based OS
running cgiwrap
V. VENDOR
The vendor has not been contacted about this issue.
Regards
b0f (Alan M)
www.b0f.net
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
A locally and possibly remotely exploitable format
strings bug exists
in cgiwrap available from
http://cgiwrap.sourceforge.net/
http://sourceforge.net/projects/cgiwrap
http://www.freebsd.org/ports/security.html
I. BACKGROUND
This is CGIWrap - a gateway that allows more secure
user access to
CGI programs on an HTTPd server than is provided by the
http server
itself. The primary function of CGIWrap is to make
certain that
any CGI script runs with the permissions of the user
who installed
it, and not those of the server.
CGIWrap works with NCSA httpd, Apache, CERN httpd,
NetSite Commerce
and Communications servers, and probably any other Unix
based web
server software that supports CGI.
II. DESCRIPTION
On line 91 of msgs.c the printf() function is used
incorrectly. Which
results
in a format strings vulnerability.
<snip>
void MSG_Error_General(char *message)
{
MSG_Header("CGIWrap Error", message);
printf(message);
MSG_Footer();
exit(1);
}
</snip>
The binaries in cgiwrap, (cgiwrap and nph-cgiwrap) are
installed setuid
root.
Thus could make this format problem exploitable locally
to gain root
privs or
possably remotely to gain root or the privs of the user
who owns the cgi
script.
III. ANALYSIS
An attacker could exploit this issue to escalate privs
locally or
remotely on
a server running cgiwrap.
IV. DETECTION
This is vulnerable in the latest version of cgiwrap
version 3.7.1 and
properly
older versions(not checked). It would be exploitable on
any Linux/Unix
based OS
running cgiwrap
V. VENDOR
The vendor has not been contacted about this issue.
Regards
b0f (Alan M)
www.b0f.net
[ reply ]