RE: [cgiwrap-users] RE: Format strings vuln in CGIwrap
Brought to you by:
nneul
Menu
▾
▴
RE: [cgiwrap-users] RE: Format strings vuln in CGIwrap
|
From: Neulinger, N. <nn...@um...> - 2003-04-23 17:04:57
|
In any case, I've changed this in cvs so as to avoid setting off any future false-alarms.=20 ------------------------------------------------------------ Nathan Neulinger EMail: nn...@um... University of Missouri - Rolla Phone: (573) 341-4841 Computing Services Fax: (573) 341-4216 > -----Original Message----- > From: Neulinger, Nathan=20 > Sent: Wednesday, April 23, 2003 11:59 AM > To: b0f www.b0f.net; bu...@se... > Cc: cgi...@li... > Subject: [cgiwrap-users] RE: Format strings vuln in CGIwrap >=20 >=20 > This is not a security problem. This is a case of using an automated > tool to find these vulnerabilites and not attempting to understand the > code itself.=20 >=20 > Nowhere in the code is MSG_Error_General() passed anything=20 > other than a > static compiled-into-the-executable string. It's purely a utility > function to wrap common error text/footer/etc. around a=20 > generic string. >=20 > -- Nathan >=20 > ------------------------------------------------------------ > Nathan Neulinger EMail: nn...@um... > University of Missouri - Rolla Phone: (573) 341-4841 > Computing Services Fax: (573) 341-4216 >=20 >=20 > > -----Original Message----- > > From: security-bounces+nneul=3Du...@li...=20 > > [mailto:security-bounces+nneul=3Du...@li...] On=20 > > Behalf Of b0f www.b0f.net > > Sent: Wednesday, April 23, 2003 11:06 AM > > To: bu...@se... > > Subject: Format strings vuln in CGIwrap > >=20 > >=20 > >=20 > >=20 > > A locally and possibly remotely exploitable format > > strings bug exists=20 > > in cgiwrap available from =20 > > http://cgiwrap.sourceforge.net/ > > http://sourceforge.net/projects/cgiwrap > > http://www.freebsd.org/ports/security.html=20 > >=20 > > I. BACKGROUND > >=20 > > This is CGIWrap - a gateway that allows more secure > > user access to > > CGI programs on an HTTPd server than is provided by the > > http server > > itself. The primary function of CGIWrap is to make > > certain that > > any CGI script runs with the permissions of the user > > who installed > > it, and not those of the server. > >=20 > > CGIWrap works with NCSA httpd, Apache, CERN httpd, > > NetSite Commerce > > and Communications servers, and probably any other Unix > > based web > > server software that supports CGI. > >=20 > > II. DESCRIPTION > >=20 > > On line 91 of msgs.c the printf() function is used > > incorrectly. Which=20 > > results > > in a format strings vulnerability. > > <snip> > > void MSG_Error_General(char *message) > > { > > MSG_Header("CGIWrap Error", message); > > printf(message);=20 > > MSG_Footer(); > > exit(1); > > } > > </snip> > >=20 > > The binaries in cgiwrap, (cgiwrap and nph-cgiwrap) are > > installed setuid=20 > > root. > > Thus could make this format problem exploitable locally > > to gain root=20 > > privs or > > possably remotely to gain root or the privs of the user > > who owns the cgi=20 > > script. > >=20 > > III. ANALYSIS > > An attacker could exploit this issue to escalate privs > > locally or=20 > > remotely on > > a server running cgiwrap. > >=20 > > IV. DETECTION > >=20 > > This is vulnerable in the latest version of cgiwrap > > version 3.7.1 and=20 > > properly > > older versions(not checked). It would be exploitable on > > any Linux/Unix=20 > > based OS > > running cgiwrap=20 > >=20 > > V. VENDOR > > The vendor has not been contacted about this issue. > >=20 > > Regards > > b0f (Alan M) > > www.b0f.net > > _______________________________________________ > > UMR Security List Exploder > > sec...@li... > > https://lists.umr.edu/mailman/listinfo/security > >=20 >=20 >=20 > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > cgiwrap-users mailing list > cgi...@li... > https://lists.sourceforge.net/lists/listinfo/cgiwrap-users >=20 |
