lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <B578DAA4FD40684793C953B491D4879174D279@umr-mail7.umr.edu>
Date: Wed, 23 Apr 2003 11:59:15 -0500
From: "Neulinger, Nathan" <nneul@....edu>
To: "b0f www.b0f.net" <b0fnet@...oo.com>, <bugtraq@...urityfocus.com>
Subject: RE:  Format strings vuln in CGIwrap


This is not a security problem. This is a case of using an automated
tool to find these vulnerabilites and not attempting to understand the
code itself. 

Nowhere in the code is MSG_Error_General() passed anything other than a
static compiled-into-the-executable string. It's purely a utility
function to wrap common error text/footer/etc. around a generic string.

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@....edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216


> -----Original Message-----
> From: security-bounces+nneul=umr.edu@...ts.umr.edu 
> [mailto:security-bounces+nneul=umr.edu@...ts.umr.edu] On 
> Behalf Of b0f www.b0f.net
> Sent: Wednesday, April 23, 2003 11:06 AM
> To: bugtraq@...urityfocus.com
> Subject: Format strings vuln in CGIwrap
> 
> 
> 
> 
> A locally and possibly remotely exploitable format
> strings bug exists 
> in cgiwrap available from  
> http://cgiwrap.sourceforge.net/
> http://sourceforge.net/projects/cgiwrap
> http://www.freebsd.org/ports/security.html 
> 
> I. BACKGROUND
> 
> This is CGIWrap - a gateway that allows more secure
> user access to
> CGI programs on an HTTPd server than is provided by the
> http server
> itself. The primary function of CGIWrap is to make
> certain that
> any CGI script runs with the permissions of the user
> who installed
> it, and not those of the server.
> 
> CGIWrap works with NCSA httpd, Apache, CERN httpd,
> NetSite Commerce
> and Communications servers, and probably any other Unix
> based web
> server software that supports CGI.
> 
> II. DESCRIPTION
> 
> On line 91 of msgs.c the printf() function is used
> incorrectly. Which 
> results
> in a format strings vulnerability.
> <snip>
> void MSG_Error_General(char *message)
> {
>         MSG_Header("CGIWrap Error", message);
>         printf(message); 
>         MSG_Footer();
>         exit(1);
> }
> </snip>
> 
> The binaries in cgiwrap, (cgiwrap and nph-cgiwrap) are
> installed setuid 
> root.
> Thus could make this format problem exploitable locally
> to gain root 
> privs or
> possably remotely to gain root or the privs of the user
> who owns the cgi 
> script.
> 
> III. ANALYSIS
> An attacker could exploit this issue to escalate privs
> locally or 
> remotely on
> a server running cgiwrap.
> 
> IV. DETECTION
> 
> This is vulnerable in the latest version of cgiwrap
> version 3.7.1 and 
> properly
> older versions(not checked). It would be exploitable on
> any Linux/Unix 
> based OS
> running cgiwrap 
> 
> V. VENDOR
> The vendor has not been contacted about this issue.
> 
> Regards
> b0f  (Alan M)
> www.b0f.net
> _______________________________________________
> UMR Security List Exploder
> security@...ts.umr.edu
> https://lists.umr.edu/mailman/listinfo/security
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ