exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

fedcirc.97.08.txt

fedcirc.97.08.txt
Posted Sep 23, 1999

fedcirc.97.08.txt

SHA-256 | 2f72b8d1667b800990dbe54f6ca117a3a8cba4bcb514d745ab2807bda11b6fbc

fedcirc.97.08.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----


******************************************************************************
------ ----- ----- --- -----
| ----- ---- | | | | |
|--- | | | | | | | |
| |-- | | | | |-- |
| | | | | | | \ |
| ----- ---- ----- ----- | \ -----

A D V I S O R Y

97.08
******************************************************************************
Topic: Vulnerability in webdist.cgi
Source: CERT/CC

Creation Date: May 6, 1997
Last Updated: May 7, 1997


To aid in the wide distribution of essential security information,
FedCIRC is forwarding the following information from <CERT/CC advisory
or CIAC bulletin> <reference number>. FedCIRC urges you to act on
this information as soon as possible.

If you have any questions, please contact FedCIRC:

Telephone: +1 888 282 0870
Email: fedcirc@fedcirc.gov



=======================FORWARDED TEXT STARTS HERE============================

=============================================================================
CERT* Advisory CA-97.12
Original issue date: May 6, 1997
Last revised: May 7, 1997
Introduction - Corrected the AUSCERT advisory number.
Acknowledgments - Corrected the AUSCERT advisory number
and removed a company name.

Topic: Vulnerability in webdist.cgi
- - -----------------------------------------------------------------------------

The CERT Coordination Center has received reports of a security
vulnerability in the webdist.cgi cgi-bin program, part of the IRIX
Mindshare Out Box package, available with IRIX 5.x and 6.x. By exploiting
this vulnerability, both local and remote users may be able to execute
arbitrary commands with the privileges of the httpd daemon. This may be
used to compromise the http server and under certain configurations gain
privileged access.

Currently there are no official vendor patches available which address the
vulnerability described in this advisory. We recommend that sites prevent
the exploitation of this vulnerability by immediately applying the workaround
given in Section III.A. If the package is not required, we recommend
removing it from their systems.

When patches are made available, they should be applied as soon as possible.

We will update this advisory as we receive additional information.
Please check our advisory files regularly for updates that relate to your
site.

Note: Development of this advisory was a joint effort of the CERT Coordination
Center and AUSCERT. This material was also released as AUSCERT advisory
AA-97.14.
- - -----------------------------------------------------------------------------

I. Description

A security vulnerability has been reported in the webdist.cgi cgi-bin
program available with IRIX 5.x and 6.x. webdist.cgi is part of the
IRIX Mindshare Out Box software package, which allows users to install
software over a network via a World Wide Web interface.

webdist.cgi allows webdist(1) to be used via an HTML form interface
defined in the file webdist.html, which is installed in the default
document root directories for both the Netsite and Out Box servers.

Due to insufficient checking of the arguments passed to webdist.cgi, it
may be possible to execute arbitrary commands with the privileges of
the httpd daemon. This is done via the webdist program.

When installed, webdist.cgi is accessible by anyone who can connect to
the httpd daemon. Because of this, the vulnerability may be exploited by
remote users as well as local users. Even if a site's webserver is
behind a firewall, it may still be vulnerable.

Determining if your site is vulnerable
--------------------------------------
All sites are encouraged to check their systems for the IRIX Mindshare
Out Box software package, and in particular the Webdist Software
package which is a subsystem of the Mindshare Out Box software
package. To determine if this package is installed, use the command:

# versions outbox.sw.webdist

I = Installed, R = Removed

Name Date Description

I outbox 11/06/96 Outbox Environment, 1.2
I outbox.sw 11/06/96 Outbox End-User Software, 1.2
I outbox.sw.webdist 11/06/96 Web Software Distribution Tools, 1.2


II. Impact

Local and remote users may be able to execute arbitrary commands on
the HTTP server with the privileges of the httpd daemon. This may be
used to compromise the http server and under certain configurations
gain privileged access.


III. Solution

Currently there are no official vendor patches available which address
the vulnerability described in this advisory. We recommend that
sites prevent the exploitation of this vulnerability by immediately
applying the workaround given in Section III.A or removing the
package from their systems (Section III.B).

When patches are available, we recommend that sites apply them
as soon as possible.


A. Remove execute permissions

Sites should immediately remove the execute permissions on the
webdist.cgi program to prevent its exploitation. By default, webdist.cgi
is found in /var/www/cgi-bin/, but sites should check all cgi-bin
directories for this program.

# ls -l /var/www/cgi-bin/webdist.cgi
-rwxr-xr-x 1 root sys 4438 Nov 6 12:44 /var/www/cgi-bin/webdist.cgi

# chmod 400 /var/www/cgi-bin/webdist.cgi

# ls -l /var/www/cgi-bin/webdist.cgi
-r-------- 1 root sys 4438 Nov 6 12:44 /var/www/cgi-bin/webdist.cgi


Note that this will prevent all users from using the webdist
program from the HTML form interface.


B. Remove outbox.sw.webdist subsystem

If the Webdist software is not required, we recommend that sites remove
it completely from their systems. This can be done with the command:

# versions remove outbox.sw.webdist

Sites can check that the package has been removed with the command:

# versions outbox.sw.webdist


IV. Additional Measures

Sites should consider taking this opportunity to examine their entire
httpd configuration. In particular, all CGI programs that are not
required should be removed, and all those remaining should be examined
for possible security vulnerabilities.

It is also important to ensure that all child processes of httpd are
running as a non-privileged user. This is often a configurable option.
See the documentation for your httpd distribution for more details.

Numerous resources relating to WWW security are available. The following
pages may provide a useful starting point. They include links describing
general WWW security, secure httpd setup, and secure CGI programming.

The World Wide Web Security FAQ:
http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html

NSCA's "Security Concerns on the Web" Page:
http://hoohoo.ncsa.uiuc.edu/security/

The following book contains useful information including sections on
secure programming techniques.

_Practical Unix & Internet Security_, Simson Garfinkel and
Gene Spafford, 2nd edition, O'Reilly and Associates, 1996.

Please note that the CERT/CC and AUSCERT do not endorse the URLs that
appear above. If you have any problems with these sites, please contact
the site administrator.


- - -----------------------------------------------------------------------------
This advisory is a collaborative effort between AUSCERT and the CERT
Coordination Center. This material was also released as AUSCERT advisory
AA-97.14.

We thank Yuri Volobuev for reporting this problem. We also thank Martin
Nicholls (The University of Queensland) and Ian Farquhar for their assistance
in further understanding this problem and its solution.
- - -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see http://www.first.org/team-info/)


CERT/CC Contact Information
- - ----------------------------
Email cert@cert.org

Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
and are on call for emergencies during other hours.

Fax +1 412-268-6989

Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA

Using encryption
We strongly urge you to encrypt sensitive information sent by email. We can
support a shared DES key or PGP. Contact the CERT/CC for more information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key

Getting security information
CERT publications and other security information are available from
http://www.cert.org/
ftp://info.cert.org/pub/

CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce

To be added to our mailing list for advisories and bulletins, send
email to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address

- - ---------------------------------------------------------------------------
* Registered U.S. Patent and Trademark Office.

Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is
included.

The CERT Coordination Center is part of the Software Engineering Institute
(SEI). The SEI is sponsored by the U.S. Department of Defense.
- - ---------------------------------------------------------------------------

This file: ftp://info.cert.org/pub/cert_advisories/CA-97.12.webdist
http://www.cert.org
click on "CERT Advisories"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history

May 07, 1997 Introduction - Corrected the AUSCERT advisory number.
Acknowledgments - Corrected the AUSCERT advisory number
and removed a company name.




========================FORWARDED TEXT ENDS HERE=============================

The National Institute of Standards and Technology (NIST) has
established a Federal Computer Incident response Capability (FedCIRC)
to assist federal civilians agencies in their incident handling
efforts by providing proactive and reactive computer security related
services. FedCIRC is a partnership among NIST, the Computer Incident
Advisory Capability (CIAC), and the CERT* Coordination Center
(CERT/CC).

If you believe that your system has been compromised, please contact
FedCIRC:

Telephone: +1 888 282 0870
Email: fedcirc@fedcirc.gov
Web Server: http://www.fedcirc.gov/

* Registered in U.S. Patent and Trademark Office

The CERT Coordination Center is part of the Software Engineering
Institute. The Software Engineering Institute is sponsored by the
U.S. Department of Defense.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface

iQCVAwUBM5bcZnVP+x0t4w7BAQE6NwP8DW6tqw7fdydnYLZjjfS+EiJVqR/nq9ne
DaoJ1yFFAQ5dCkbadAMuFMdIFvkO1w9ConIabcO211lBc+WtGCQ8Hav4lZIa/cRb
GXe6w+tBZuhTAhGvnT0yQaUsBNjjI+IU4CK1G61R6e0BBVGhYproS6KvXNHjusWG
cEgU8eCYAw4=
=tS/K
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close