lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 23 Apr 2003 16:05:32 -0000
From: b0f www.b0f.net <b0fnet@...oo.com>
To: bugtraq@...urityfocus.com
Subject: Format strings vuln in CGIwrap




A locally and possibly remotely exploitable format
strings bug exists 
in cgiwrap available from  
http://cgiwrap.sourceforge.net/
http://sourceforge.net/projects/cgiwrap
http://www.freebsd.org/ports/security.html 

I. BACKGROUND

This is CGIWrap - a gateway that allows more secure
user access to
CGI programs on an HTTPd server than is provided by the
http server
itself. The primary function of CGIWrap is to make
certain that
any CGI script runs with the permissions of the user
who installed
it, and not those of the server.

CGIWrap works with NCSA httpd, Apache, CERN httpd,
NetSite Commerce
and Communications servers, and probably any other Unix
based web
server software that supports CGI.

II. DESCRIPTION

On line 91 of msgs.c the printf() function is used
incorrectly. Which 
results
in a format strings vulnerability.
<snip>
void MSG_Error_General(char *message)
{
        MSG_Header("CGIWrap Error", message);
        printf(message); 
        MSG_Footer();
        exit(1);
}
</snip>

The binaries in cgiwrap, (cgiwrap and nph-cgiwrap) are
installed setuid 
root.
Thus could make this format problem exploitable locally
to gain root 
privs or
possably remotely to gain root or the privs of the user
who owns the cgi 
script.

III. ANALYSIS
An attacker could exploit this issue to escalate privs
locally or 
remotely on
a server running cgiwrap.

IV. DETECTION

This is vulnerable in the latest version of cgiwrap
version 3.7.1 and 
properly
older versions(not checked). It would be exploitable on
any Linux/Unix 
based OS
running cgiwrap 

V. VENDOR
The vendor has not been contacted about this issue.

Regards
b0f  (Alan M)
www.b0f.net

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ