[<prev] [next>] [day] [month] [year] [list]
Message-ID: <B578DAA4FD40684793C953B491D4879174D27A@umr-mail7.umr.edu>
Date: Wed, 23 Apr 2003 12:04:43 -0500
From: "Neulinger, Nathan" <nneul@....edu>
To: "b0f www.b0f.net" <b0fnet@...oo.com>, <bugtraq@...urityfocus.com>
Subject: RE: [cgiwrap-users] RE: Format strings vuln in CGIwrap
In any case, I've changed this in cvs so as to avoid setting off any
future false-alarms.
------------------------------------------------------------
Nathan Neulinger EMail: nneul@....edu
University of Missouri - Rolla Phone: (573) 341-4841
Computing Services Fax: (573) 341-4216
> -----Original Message-----
> From: Neulinger, Nathan
> Sent: Wednesday, April 23, 2003 11:59 AM
> To: b0f www.b0f.net; bugtraq@...urityfocus.com
> Cc: cgiwrap-users@...ts.sourceforge.net
> Subject: [cgiwrap-users] RE: Format strings vuln in CGIwrap
>
>
> This is not a security problem. This is a case of using an automated
> tool to find these vulnerabilites and not attempting to understand the
> code itself.
>
> Nowhere in the code is MSG_Error_General() passed anything
> other than a
> static compiled-into-the-executable string. It's purely a utility
> function to wrap common error text/footer/etc. around a
> generic string.
>
> -- Nathan
>
> ------------------------------------------------------------
> Nathan Neulinger EMail: nneul@....edu
> University of Missouri - Rolla Phone: (573) 341-4841
> Computing Services Fax: (573) 341-4216
>
>
> > -----Original Message-----
> > From: security-bounces+nneul=umr.edu@...ts.umr.edu
> > [mailto:security-bounces+nneul=umr.edu@...ts.umr.edu] On
> > Behalf Of b0f www.b0f.net
> > Sent: Wednesday, April 23, 2003 11:06 AM
> > To: bugtraq@...urityfocus.com
> > Subject: Format strings vuln in CGIwrap
> >
> >
> >
> >
> > A locally and possibly remotely exploitable format
> > strings bug exists
> > in cgiwrap available from
> > http://cgiwrap.sourceforge.net/
> > http://sourceforge.net/projects/cgiwrap
> > http://www.freebsd.org/ports/security.html
> >
> > I. BACKGROUND
> >
> > This is CGIWrap - a gateway that allows more secure
> > user access to
> > CGI programs on an HTTPd server than is provided by the
> > http server
> > itself. The primary function of CGIWrap is to make
> > certain that
> > any CGI script runs with the permissions of the user
> > who installed
> > it, and not those of the server.
> >
> > CGIWrap works with NCSA httpd, Apache, CERN httpd,
> > NetSite Commerce
> > and Communications servers, and probably any other Unix
> > based web
> > server software that supports CGI.
> >
> > II. DESCRIPTION
> >
> > On line 91 of msgs.c the printf() function is used
> > incorrectly. Which
> > results
> > in a format strings vulnerability.
> > <snip>
> > void MSG_Error_General(char *message)
> > {
> > MSG_Header("CGIWrap Error", message);
> > printf(message);
> > MSG_Footer();
> > exit(1);
> > }
> > </snip>
> >
> > The binaries in cgiwrap, (cgiwrap and nph-cgiwrap) are
> > installed setuid
> > root.
> > Thus could make this format problem exploitable locally
> > to gain root
> > privs or
> > possably remotely to gain root or the privs of the user
> > who owns the cgi
> > script.
> >
> > III. ANALYSIS
> > An attacker could exploit this issue to escalate privs
> > locally or
> > remotely on
> > a server running cgiwrap.
> >
> > IV. DETECTION
> >
> > This is vulnerable in the latest version of cgiwrap
> > version 3.7.1 and
> > properly
> > older versions(not checked). It would be exploitable on
> > any Linux/Unix
> > based OS
> > running cgiwrap
> >
> > V. VENDOR
> > The vendor has not been contacted about this issue.
> >
> > Regards
> > b0f (Alan M)
> > www.b0f.net
> > _______________________________________________
> > UMR Security List Exploder
> > security@...ts.umr.edu
> > https://lists.umr.edu/mailman/listinfo/security
> >
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> cgiwrap-users mailing list
> cgiwrap-users@...ts.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/cgiwrap-users
>
Powered by blists - more mailing lists