From core.lists.bugtraq@CORE-SDI.COM Wed Sep 27 19:16:13 2000 From: Iván Arce To: BUGTRAQ@SECURITYFOCUS.COM Date: Wed, 27 Sep 2000 17:40:50 -0300 Subject: [BUGTRAQ] Unixware SCOhelp http server format string vulnerability CORE SDI Inc. http://www.core-sdi.com Unixware SCOhelp http server format string vulnerability Date Published: 09/27/00 Advisory ID: CORE-092700 Bugtraq ID: 1717 CVE CAN: None currently assigned. Title: Unixware SCOhelp http server format string vulnerability Class: Input validation error Remotely Exploitable: Yes Locally Exploitable: Yes Vulnerability Description: SCO Unixware 7 default installation includes scohelp, an http server that listens on port 457/tcp and allows access to manual pages and other documentation files. The search CGI script provided for that purpose has a vulnerability that could allow any remote attacker to execute arbitrary code on the vulnerable machine with privileges of user "nobody". This poses a threat that could result in the remote compromise of the vulnerable host and provide a staging point from where an attacker could escalate privileges. Vulnerable Packages/Systems: Unixware 7 Solution/Vendor Information/Workaround: Contact the vendor for a fix In the meantime, disabling the http server on port 457/tcp will prevent exploitation of the vulnerability. However, this will also make access to the documentation unavailable. The following is a workaround supplied by the vendor: To apply the workaround to your system you must: 1) Log into the system as root 2) cd /usr/ns-home/httpd-scohelphttp/search97 3) mkdir ./securebin 4) mv ./bin/vtopic ./securebin 5) Using your favourite editor create a new version of vtopic in the /usr/ns-home/httpd-scohelphttp/search97/bin directory containing the following: -------------------------------------------------------------------- #!/bin/sh VERITYBIN=/usr/ns-home/httpd-scohelphttp/search97/bin SECUREBIN=/usr/ns-home/httpd-scohelphttp/search97/securebin configPath=$VERITYBIN/inetsrch.ini export configPath # If POST method, convert to QUERY_STRING if [ -z "$QUERY_STRING" ] then POST=1 eval `$VERITYBIN/cgiparse -init` else POST=0 fi # Exit if not set if [ -z "$QUERY_STRING" ] then exit 1 fi # Now strip out insecure character %25 QUERY_STRING=`echo "$QUERY_STRING" | sed "s/%25/+/g"` # First check for multiple ViewTemplate fields # which could fool vtopic COUNT=`$VERITYBIN/cgiparse -count -value ViewTemplate 2> /dev/null` if [ "$COUNT" -gt 1 ] then exit 1 fi # First check for multiple ResultTemplate fields # which could fool vtopic COUNT=`$VERITYBIN/cgiparse -count -value ResultTemplate 2> /dev/null` if [ "$COUNT" -gt 1 ] then exit 1 fi # Now check for correct path in ViewTemplate if it has one if echo "$QUERY_STRING" | egrep -i '&ViewTemplate=' > /dev/null 2>&1 then MATCH=`cgiparse -value ViewTemplate 2> /dev/null | egrep -i '[-A-Za-z0-9_.]+/_SearchTemplates/docview.hts'` if [ -z "$MATCH" ] then exit 1 fi fi # Now check for correct path in ResultTemplate if it has one if echo "$QUERY_STRING" | egrep -i '&ResultTemplate=' > /dev/null 2>&1 then MATCH=`cgiparse -value ResultTemplate 2> /dev/null | egrep -i '[-A-Za-z0-9_.]+/_SearchTemplates/result.hts'` if [ -z "$MATCH" ] then exit 1 fi fi # OK, so proceed if [ "$POST" -eq 1 ] then export CONTENT_LENGTH echo "$QUERY_STRING" | $SECUREBIN/vtopic else export QUERY_STRING $SECUREBIN/vtopic fi -------------------------------------------------------------------- 6) chmod +x vtopic This script acts as a wrapper to the vtopic binary and blocks queries that can: 1) Allow a remote user to request to view a world readable file like /etc/passwd 2) Cause a failure like the one described in your email to SCO. Vendor notified on: September 11th, 2000 Credits: This vulnerability was discovered by Juliano Rizzo of CORE SDI Inc., Buenos Aires, Argentina. This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail vulnhelp@securityfocus.com. Fix information and the workaround was provided by the SCO Security Group It can be contacted at security-alert@sco.com Technical Description - Exploit/Concept Code: There is a user supplied format string bug in the vtopic CGI script that could be abused to execute arbitrary code. By sending a request with the following URI: http://target:457/search97cgi/vtopic?Action=\ FilterSearch&filter=&queryText=%25x The server will elicit the following response: -- Internal error: STR_sprintf: Invalid format (Error E1-0142 (Query Builder): Invalid character '%' (0x25)) Result Search failed: -40 Result Error E1-0142 (Query Builder): Invalid character ' Result Error E1-0130 (Query Builder): Syntax error in query string near character 1 Result Error E1-0133 (Query Builder): Error parsing query: 81888e0 Result VdkSearchNew failed, error -40 Result Request failed for REQUEST_METHOD=, QUERY_STRING= Component Component (vsearch) failed in processing request, -2 Action Action (FilterSearch) failed while processing request in component (vsearch), -2 Service Manager Action (FilterSearch) failed in processing request, -2 S97IS Service manager failed to process request -- Note the line: Error E1-0133 (Query Builder): Error parsing query: 81888e0 This shows that the server is interpreting the %x argument passed in the URI as the "queryText" value. Supplying a carefully built value for the queryText argument an attacker can change the program flow and execute arbitrary code. DISCLAIMER: The contents of this advisory are copyright (c) 2000 CORE SDI Inc. and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. $Id: SCOhelphttp-advisory.txt,v 1.6 2000/09/27 20:36:34 iarce Exp $ -- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, It's nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce ==================[ CORE Seguridad de la Informacion S.A. ]========= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email : iarce@core-sdi.com http://www.core-sdi.com Pte. Juan D. Peron 315 Piso 4 UF 17 1038 Capital Federal Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 Casilla de Correos 877 (1000) Correo Central ===================================================================== --- For a personal reply use iarce@core-sdi.com