[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IRIX :CERT Advisory: CERT Advisory CA-97.12 - Vulnerability in webdist.cgi



Some UCI hosts appear to be vulnerable to the security problem described below.

DDCS supported systems have been patched. 

It is strongly recommended that you remove execute permission from the
webdist.cgi program, with something like:

	chmod 400 /var/www/cgi-bin/webdist.cgi

...as described in the advisory.

[This notice is a part of OAC's efforts to keep the campus informed of
potential computer security liabilities.  Please send any questions or
concerns to us at DCS@UCI.EDU]

------- Forwarded Message

Forwarded: Wed, 07 May 1997 09:44:04 -0700
Forwarded: "mtvo "
Received: from mta7.nts.uci.edu (mta7.nts.uci.edu [128.195.200.201]) by hydra.acs.uci.edu (8.8.5/8.7.1) with ESMTP id OAA26508; Tue, 6 May 1997 14:31:49 -0700 (PDT)
Received: (from daemon@localhost)
	by mta7.nts.uci.edu (8.8.5/8.8.5) id OAA13923;
	Tue, 6 May 1997 14:30:36 -0700 (PDT)
Received: (from daemon@localhost)
	by mta7.nts.uci.edu (8.8.5/8.8.5) id OAA13875;
	Tue, 6 May 1997 14:30:29 -0700 (PDT)
Received: from coal.cert.org (coal.cert.org [192.88.210.31])
	by mta7.nts.uci.edu (8.8.5/8.8.5) with SMTP id OAA13770;
	Tue, 6 May 1997 14:30:09 -0700 (PDT)
Received: (from cert-advisory@localhost) by coal.cert.org (8.6.12/CERT) id QAA05134 for cert-advisory-queue-31; Tue, 6 May 1997 16:48:37 -0400
Date: Tue, 6 May 1997 16:48:37 -0400
Message-Id: <199705062048.QAA05134@coal.cert.org>
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org
Subject: CERT Advisory CA-97.12 - Vulnerability in webdist.cgi
Reply-To: cert-advisory-request@cert.org
Organization: CERT(sm) Coordination Center -  +1 412-268-7090

- -----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT* Advisory CA-97.12
Original issue date: May 6, 1997
Last revised: --
              
Topic: Vulnerability in webdist.cgi
- - -----------------------------------------------------------------------------

The CERT Coordination Center has received reports of a security
vulnerability in the webdist.cgi cgi-bin program, part of the IRIX
Mindshare Out Box package, available with IRIX 5.x and 6.x. By exploiting
this vulnerability, both local and remote users may be able to execute
arbitrary commands with the privileges of the httpd daemon. This may be
used to compromise the http server and under certain configurations gain
privileged access.

Currently there are no official vendor patches available which address the
vulnerability described in this advisory. We recommend that sites prevent
the exploitation of this vulnerability by immediately applying the workaround
given in Section III.A. If the package is not required, we recommend
removing it from their systems.

When patches are made available, they should be applied as soon as possible.

We will update this advisory as we receive additional information.
Please check our advisory files regularly for updates that relate to your
site.

Note: Development of this advisory was a joint effort of the CERT Coordination
      Center and AUSCERT. This material was also released as AUSCERT advisory
      AA-97.12. 
- - -----------------------------------------------------------------------------

I.   Description

     A security vulnerability has been reported in the webdist.cgi cgi-bin
     program available with IRIX 5.x and 6.x. webdist.cgi is part of the
     IRIX Mindshare Out Box software package, which allows users to install
     software over a network via a World Wide Web interface.

     webdist.cgi allows webdist(1) to be used via an HTML form interface
     defined in the file webdist.html, which is installed in the default
     document root directories for both the Netsite and Out Box servers.
     
     Due to insufficient checking of the arguments passed to webdist.cgi, it
     may be possible to execute arbitrary commands with the privileges of
     the httpd daemon. This is done via the webdist program.

     When installed, webdist.cgi is accessible by anyone who can connect to
     the httpd daemon. Because of this, the vulnerability may be exploited by
     remote users as well as local users. Even if a site's webserver is
     behind a firewall, it may still be vulnerable.

     Determining if your site is vulnerable
     --------------------------------------
     All sites are encouraged to check their systems for the IRIX Mindshare
     Out Box software package, and in particular the Webdist Software
     package which is a subsystem of the Mindshare Out Box software
     package. To determine if this package is installed, use the command:

     # versions outbox.sw.webdist

     I = Installed, R = Removed 

     Name                   Date        Description 

     I outbox               11/06/96    Outbox Environment, 1.2 
     I outbox.sw            11/06/96    Outbox End-User Software, 1.2 
     I outbox.sw.webdist    11/06/96    Web Software Distribution Tools, 1.2


II.  Impact

     Local and remote users may be able to execute arbitrary commands on
     the HTTP server with the privileges of the httpd daemon. This may be
     used to compromise the http server and under certain configurations
     gain privileged access.


III. Solution

     Currently there are no official vendor patches available which address
     the vulnerability described in this advisory. We recommend that
     sites prevent the exploitation of this vulnerability by immediately
     applying the workaround given in Section III.A or removing the 
     package from their systems (Section III.B).  

     When patches are available, we recommend that sites apply them
     as soon as possible.


     A. Remove execute permissions
 
     Sites should immediately remove the execute permissions on the
     webdist.cgi program to prevent its exploitation. By default, webdist.cgi
     is found in /var/www/cgi-bin/, but sites should check all cgi-bin
     directories for this program.
 
        # ls -l /var/www/cgi-bin/webdist.cgi
        -rwxr-xr-x  1 root  sys  4438 Nov  6 12:44 /var/www/cgi-bin/webdist.cgi
 
        # chmod 400 /var/www/cgi-bin/webdist.cgi
 
        # ls -l /var/www/cgi-bin/webdist.cgi
        -r--------  1 root  sys  4438 Nov  6 12:44 /var/www/cgi-bin/webdist.cgi


     Note that this will prevent all users from using the webdist 
     program from the HTML form interface.


     B. Remove outbox.sw.webdist subsystem

     If the Webdist software is not required, we recommend that sites remove
     it completely from their systems. This can be done with the command:

        # versions remove outbox.sw.webdist
 
     Sites can check that the package has been removed with the command:

        # versions outbox.sw.webdist


IV.  Additional Measures
 
    Sites should consider taking this opportunity to examine their entire
    httpd configuration. In particular, all CGI programs that are not 
    required should be removed, and all those remaining should be examined 
    for possible security vulnerabilities.
 
    It is also important to ensure that all child processes of httpd are
    running as a non-privileged user. This is often a configurable option.
    See the documentation for your httpd distribution for more details.
 
    Numerous resources relating to WWW security are available. The following
    pages may provide a useful starting point. They include links describing
    general WWW security, secure httpd setup, and secure CGI programming.
 
        The World Wide Web Security FAQ:
                http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html
 
        NSCA's "Security Concerns on the Web" Page:
                http://hoohoo.ncsa.uiuc.edu/security/
 
    The following book contains useful information including sections on
    secure programming techniques.
 
        _Practical Unix & Internet Security_, Simson Garfinkel and
        Gene Spafford, 2nd edition, O'Reilly and Associates, 1996.

    Please note that the CERT/CC and AUSCERT do not endorse the URLs that
    appear above. If you have any problems with these sites, please contact
    the site administrator.


- - -----------------------------------------------------------------------------
This advisory is a collaborative effort between AUSCERT and the CERT
Coordination Center. This material was also released as AUSCERT advisory
AA-97.12.

We thank Yuri Volobuev for reporting this problem. We also thank Martin
Nicholls (The University of Queensland) and Ian Farquhar of Silicon Graphics,
Inc. for their assistance in further understanding this problem and its
solution.
- - -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response 
and Security Teams (see http://www.first.org/team-info/)


CERT/CC Contact Information 
- - ---------------------------- 
Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
                and are on call for emergencies during other hours.

Fax      +1 412-268-6989

Postal address
         CERT Coordination Center
         Software Engineering Institute
         Carnegie Mellon University
         Pittsburgh PA 15213-3890
         USA

Using encryption
   We strongly urge you to encrypt sensitive information sent by email. We can
   support a shared DES key or PGP. Contact the CERT/CC for more information. 
   Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

Getting security information
   CERT publications and other security information are available from
        http://www.cert.org/
        ftp://info.cert.org/pub/

   CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce 

   To be added to our mailing list for advisories and bulletins, send 
   email to
        cert-advisory-request@cert.org 
   In the subject line, type 
        SUBSCRIBE  your-email-address 

- - ---------------------------------------------------------------------------
* Registered U.S. Patent and Trademark Office.

Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is
included.

The CERT Coordination Center is part of the Software Engineering Institute
(SEI). The SEI is sponsored by the U.S. Department of Defense.
- - ---------------------------------------------------------------------------

This file: ftp://info.cert.org/pub/cert_advisories/CA-97.12.webdist
           http://www.cert.org
               click on "CERT Advisories"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history




- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM2+OtXVP+x0t4w7BAQEFSQP/ekmuVd8gApgC+x5E1E1qsfiuASBjFv3x
LjgLCZslyBsn4Ik5T17bH5es9SrsYw854lpfsIpdz7mhzn/plKyEOhWBH39kpJyp
DahbCr1ovtGBm9rxkLxp7du084PEY3PGy46aywJiHPRx9M817JCrOnvrX7hKxHNK
1xM5uBbp4GI=
=1fHi
- -----END PGP SIGNATURE-----

------- End of Forwarded Message