exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

unixware.scohelp.txt

unixware.scohelp.txt
Posted Sep 28, 2000
Authored by Ivan Arce | Site core-sdi.com

CORE SDI Security Advisory - SCO Unixware 7 default installation includes scohelp, an http server that listens on port 457/tcp and allows access to manual pages and other documentation files. The search CGI script provided for that purpose has a vulnerability that could allow any remote attacker to execute arbitrary code on the vulnerable machine with privileges of user "nobody".

tags | remote, web, arbitrary, cgi, tcp
systems | unixware
SHA-256 | f680f55bfc32747ee179bacde9f8d0a084560d975d1acee0c089638742207f41

unixware.scohelp.txt

Change Mirror Download
                                               CORE SDI Inc.
http://www.core-sdi.com

Unixware SCOhelp http server format string vulnerability


Date Published: 09/27/00

Advisory ID: CORE-092700

Bugtraq ID: 1717

CVE CAN: None currently assigned.

Title: Unixware SCOhelp http server format string vulnerability

Class: Input validation error

Remotely Exploitable: Yes

Locally Exploitable: Yes

Vulnerability Description:

SCO Unixware 7 default installation includes scohelp, an http
server that listens on port 457/tcp and allows access to manual
pages and other documentation files. The search CGI script provided
for that purpose has a vulnerability that could allow any remote
attacker to execute arbitrary code on the vulnerable machine with
privileges of user "nobody".
This poses a threat that could result in the remote compromise of
the vulnerable host and provide a staging point from where an attacker
could escalate privileges.


Vulnerable Packages/Systems:
Unixware 7

Solution/Vendor Information/Workaround:

Contact the vendor for a fix

In the meantime, disabling the http server on port 457/tcp
will prevent exploitation of the vulnerability. However, this
will also make access to the documentation unavailable.

The following is a workaround supplied by the vendor:
To apply the workaround to your system you must:

1) Log into the system as root

2) cd /usr/ns-home/httpd-scohelphttp/search97

3) mkdir ./securebin

4) mv ./bin/vtopic ./securebin

5) Using your favourite editor create a new version of vtopic
in the /usr/ns-home/httpd-scohelphttp/search97/bin
directory containing the following:
--------------------------------------------------------------------
#!/bin/sh
VERITYBIN=/usr/ns-home/httpd-scohelphttp/search97/bin
SECUREBIN=/usr/ns-home/httpd-scohelphttp/search97/securebin
configPath=$VERITYBIN/inetsrch.ini
export configPath

# If POST method, convert to QUERY_STRING
if [ -z "$QUERY_STRING" ]
then
POST=1
eval `$VERITYBIN/cgiparse -init`
else
POST=0
fi

# Exit if not set
if [ -z "$QUERY_STRING" ]
then
exit 1
fi

# Now strip out insecure character %25
QUERY_STRING=`echo "$QUERY_STRING" | sed "s/%25/+/g"`

# First check for multiple ViewTemplate fields
# which could fool vtopic
COUNT=`$VERITYBIN/cgiparse -count -value ViewTemplate 2> /dev/null`
if [ "$COUNT" -gt 1 ]
then
exit 1
fi

# First check for multiple ResultTemplate fields
# which could fool vtopic
COUNT=`$VERITYBIN/cgiparse -count -value ResultTemplate 2> /dev/null`
if [ "$COUNT" -gt 1 ]
then
exit 1
fi

# Now check for correct path in ViewTemplate if it has one
if echo "$QUERY_STRING" | egrep -i '&ViewTemplate=' > /dev/null 2>&1
then
MATCH=`cgiparse -value ViewTemplate 2> /dev/null | egrep -i
'[-A-Za-z0-9_.]+/_SearchTemplates/docview.hts'`
if [ -z "$MATCH" ]
then
exit 1
fi
fi

# Now check for correct path in ResultTemplate if it has one
if echo "$QUERY_STRING" | egrep -i '&ResultTemplate=' > /dev/null 2>&1
then
MATCH=`cgiparse -value ResultTemplate 2> /dev/null | egrep -i
'[-A-Za-z0-9_.]+/_SearchTemplates/result.hts'`
if [ -z "$MATCH" ]
then
exit 1
fi
fi

# OK, so proceed
if [ "$POST" -eq 1 ]
then
export CONTENT_LENGTH
echo "$QUERY_STRING" | $SECUREBIN/vtopic
else
export QUERY_STRING
$SECUREBIN/vtopic
fi
--------------------------------------------------------------------

6) chmod +x vtopic

This script acts as a wrapper to the vtopic binary and blocks
queries that can:

1) Allow a remote user to request to view a world readable file
like /etc/passwd

2) Cause a failure like the one described in your email to SCO.


Vendor notified on: September 11th, 2000

Credits:

This vulnerability was discovered by Juliano Rizzo of CORE SDI Inc.,
Buenos Aires, Argentina.

This advisory was drafted with the help of the SecurityFocus.com
Vulnerability Help Team. For more information or assistance drafting
advisories please mail vulnhelp@securityfocus.com.

Fix information and the workaround was provided by the SCO Security Group
It can be contacted at security-alert@sco.com

Technical Description - Exploit/Concept Code:

There is a user supplied format string bug in the vtopic CGI script that
could be abused to execute arbitrary code. By sending a request with the
following URI:

http://target:457/search97cgi/vtopic?Action=\
FilterSearch&filter=&queryText=%25x

The server will elicit the following response:
--
Internal error: STR_sprintf: Invalid format (Error E1-0142 (Query
Builder): Invalid character '%' (0x25))

Result
Search failed: -40

Result
Error E1-0142 (Query Builder): Invalid character '

Result
Error E1-0130 (Query Builder): Syntax error in query string near
character 1

Result
Error E1-0133 (Query Builder): Error parsing query: 81888e0

Result
VdkSearchNew failed, error -40

Result
Request failed for REQUEST_METHOD=, QUERY_STRING=

Component
Component (vsearch) failed in processing request, -2

Action
Action (FilterSearch) failed while processing request in component
(vsearch), -2

Service Manager
Action (FilterSearch) failed in processing request, -2
S97IS Service manager failed to process request
--

Note the line:
Error E1-0133 (Query Builder): Error parsing query: 81888e0

This shows that the server is interpreting the %x argument passed in
the URI as the "queryText" value. Supplying a carefully built value for
the queryText argument an attacker can change the program flow and execute
arbitrary code.

DISCLAIMER:

The contents of this advisory are copyright (c) 2000 CORE SDI Inc. and may
be distributed freely provided that no fee is charged for this distribution
and proper credit is given.

$Id: SCOhelphttp-advisory.txt,v 1.6 2000/09/27 20:36:34 iarce Exp $
--
"Understanding. A cerebral secretion that enables one having it to know
a house from a horse by the roof on the house,
It's nature and laws have been exhaustively expounded by Locke,
who rode a house, and Kant, who lived in a horse." - Ambrose Bierce



==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
email : iarce@core-sdi.com
http://www.core-sdi.com
Pte. Juan D. Peron 315 Piso 4 UF 17
1038 Capital Federal
Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402
Casilla de Correos 877 (1000) Correo Central
=====================================================================







Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close