what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CoreHTTP Command Execution Advisory

CoreHTTP Command Execution Advisory
Posted Dec 23, 2009
Authored by aaron conole

CoreHTTP versions 0.5.3.1 and below suffer from a remote command execution vulnerability.

tags | advisory, remote
SHA-256 | 3c2bca2cfde516a13c2987315e8c27791221f4c84adae867779481e05a5bd998

CoreHTTP Command Execution Advisory

Change Mirror Download
Package name: CoreHTTP server
Version: 0.5.3.1 and below (as long as cgi support is enabled)
Software URL: http://corehttp.sourceforge.net/
Exploit: http://aconole.brad-x.com/programs/corehttp_cgienabled.rb
Issue: CoreHTTP server fails to properly sanitize input before calling popen()
and allows an attacker using a standard web browser to execute arbitrary
commands.

NOTE: depending on the script and directory permissions, the attacker
may not be able to view output.

Further Discussion: During code review / debugging of CoreHTTP, a look at http.c
source file revealed:

/* escape the url for " and \ since we use it in popen */
for (i = 0; i < PATHSIZE; i++) {
if (url[i] == '\0') break;
else if (url[i] == '\\' || url[i] == '\"' || url[i] == '\'') {
find = url + i;
strcpy(temp, find);
*find = '\\';
*(find+1) = '\0';
strcat(url, temp);
i++;
}
}

In the above, only " and \ are escaped, allowing one to specify |`& and any
other special formatting.

The URL then gets broken into 2 parts:
- url (which in this case is a script)
- args (which contains our 'evil' buffer)

There is a caveat though:
if (c == 0) { /* TODO our dirlist perl script takes the path
of the dir as the arg. the way we do cgi
right now is scipt.pl?arg turns into
commandprompt> ./script.pl arg. obviously
when urlencode is implemented correctly this
must be changed. */
strcpy(args, url);
strcpy(url, DIRLIST);
break;
}

In this, we can see that DIRLIST overwrites the value of url and url overwrites
the value of args - so for simple directory listing this vulnerability becomes
a bit more difficult to exploit (depending on directory name, the system could
still be vulnerable).

Finally, here's the call to popen:
} else if (cmd[0] != '\0') { /* if its dynamic content */
pipe(pipefd); /* make pipe then fork */
c = fork();
if (c > 0) { /* original, keep going */
close(pipefd[1]); /* no need to write */
sprocket->fd = pipefd[0];
SetNonBlock(sprocket->fd);
} else if (c == 0) { /* child, popen */
close(pipefd[0]); /* no need to read */
pipetoprog = popen(cmd, "r");
/* fread should be non-blocking for this to exit fast
when parent proc closes pipe */
while ((i = fread(temp, 1, BUFSIZE, pipetoprog)) != 0
&& write(pipefd[1], temp, i) > 0);
pclose(pipetoprog);
close(pipefd[1]);
exit(EXIT_SUCCESS); /* exit after done */
} else { /* failed */
RemoveSprock(sprocket, &FIRSTSPROCK);
return NULL;
}

And there you have it. Simply download coreHTTP for yourself, build, enable CGI,
touch foo.pl and then send it a request for /foo.pl%60command%26%60 which will
set url to /foo.pl and args to `command&` and call popen. Voila!

Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close