[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Vulnerability in NCSA/Apache CGI example code

Title: Vulnerability in NCSA/Apache CGI example code
Released by: CERT
Date: 20th March 1996
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1





=============================================================================

CERT(*) Advisory CA-96.06

Original issue date: March 20, 1996

Last reviresed: September 24,1997

              Updated copyright statement



              A complete revision history is at the end of this file.



Topic: Vulnerability in NCSA/Apache CGI example code

- ------------------------------------------------------------------------------



   The text of this advisory was originally released on March 14, 1996,

   as AUSCERT Advisory AA-96.01, developed by the Australian Computer

   Emergency Response Team. Because of the seriousness of the problem, we

   are reprinting the AUSCERT advisory here with their permission. Only

   the contact information at the end has changed: AUSCERT contact

   information has been replaced with CERT/CC contact information.



   We will update this advisory as we receive additional information.

   Please check advisory files regularly for updates that relate to your site.



   Note: The vulnerability described in this advisory is being actively

   exploited.





=============================================================================



The Australian Computer Emergency Response Team (AUSCERT) has received

information that example CGI code, as found in the NCSA 1.5a-export and APACHE

1.0.3 httpd (and possibly previous distributions of both servers), contains

a security vulnerability.  Programs using this code may be vulnerable to

attack.



The CGI program "phf", included with those distributions, is an example of

such a vulnerable program.  This program may have been installed as part of

the installation process for the httpd.



AUSCERT recommends that sites that have installed any CGI program

incorporating the vulnerable code (such as "phf") apply one of the workarounds

as described in Section 3.



- -----------------------------------------------------------------------------



1.  Description



    A security vulnerability has been reported in example CGI code, as

    provided with the NCSA httpd 1.5a-export and APACHE httpd 1.0.3 (and

    possibly previous distributions of both servers).  The example code

    contains a library function escape_shell_cmd() (in cgi-src/util.c).  This

    function, which attempts to prevent exploitation of shell-based library

    calls, such as system() and popen(), contains a vulnerability.



    Any program which relies on escape_shell_cmd() to prevent exploitation

    of shell-based library calls may be vulnerable to attack.



    In particular, this includes the "phf" program which is also distributed

    with the example code.  Some sites may have installed phf by default,

    even though it is not required to run httpd successfully.



    Any vulnerable program which is installed as a CGI application may allow

    unauthorised activity on the HTTP server.



    Please note that this vulnerability is not in httpd itself, but in CGI

    programs which rely on the supplied escape_shell_cmd() function.  Any

    HTTP server (not limited to NCSA or Apache) which has installed CGI

    programs which rely on escape_shell_cmd() may be vulnerable to attack.



    Sites which have the source code to their CGI applications available can

    determine whether their applications may be vulnerable by examining the

    source for usage of the escape_shell_cmd() function which is defined in

    cgi-src/util.c.



    Sites which do not have the source code for their CGI applications

    should contact the distributors of the applications for more information.



    It is important to note that attacks similar to this may succeed

    against any CGI program which has not been written with due

    consideration for security.  Sites using HTTP servers, and in

    particular CGI applications, are encouraged to develop an understanding

    of the security issues involved.  References in Section 4 provide some

    initial pointers in this area.



2.  Impact



    A remote user may retrieve any world readable files, execute arbitrary

    commands and create files on the server with the privileges of the httpd

    process which answers HTTP requests.  This may be used to compromise the

    http server and under certain configurations gain privileged access.



3.  Workarounds



    The use of certain C library calls (including system() and popen()) in

    security critical code (such as CGI programs) has been a notorious source

    of security vulnerabilities.  Good security coding practice usually

    dictates that easily exploitable system or library calls should not be

    used.  While secure CGI coding techniques are beyond the scope of this

    advisory many useful guidelines are available.



    Sites planning to install or write their own CGI programs are encouraged

    to read the references in Section 4 first.



    3.1.  Remove CGI programs



    Any CGI program which uses the escape_shell_cmd() function and is not

    required should be disabled.  This may be accomplished by removing

    execute permissions from the program or removing the program itself.



    In particular, sites which have installed the "phf" program and do not

    require it should disable it.  The "phf" program is not required to

    run httpd successfully.  Sites requiring "phf" functionality should apply

    one of the workarounds given in sections 3.2 and 3.3.



    3.2.  Rewrite CGI programs



    The intent of the escape_shell_cmd() function is to prevent passing shell

    meta-characters to susceptible library calls.  A more secure approach is

    to avoid the use of these library calls entirely.



    AUSCERT recommends that sites which are currently using CGI programs

    which use shell-based library calls (such as system() and popen())

    consider rewriting these programs to remove direct calls to easily

    compromised library functions.



    Sites should note that this is only one aspect of secure programming

    practice.  More details on this approach and other guidelines for secure

    CGI programming may be found in the references in Section 4.



    3.3.  Recompile CGI programs with patched util.c



    For sites that still wish to use programs using the escape_shell_cmd()

    function, a patched version of cgi-src/util.c has been made available by

    NCSA which addresses this particular vulnerability.  The patched version

    of util.c is available as part of the http1.5.1b3-export distribution.

    This is available from:



                http://hoohoo.ncsa.uiuc.edu/beta-1.5



    Please note that this is a beta-release of the NCSA httpd and is not a

    stable version of the httpd.  The patched version of cgi-src/util.c may be

    used independently.



    CGI programs which are required and use the escape_shell_cmd() should be

    recompiled with the new version of cgi-src/util.c and then reinstalled.



    Apache have reported that they intend to fix this vulnerability in a

    future release.  Until then the patched version of util.c as supplied

    in the http1.5.1b3-export release should be compatible.



4.  Additional measures



    Sites should consider taking this opportunity to examine their httpd

    configuration.  In particular, all CGI programs that are not required

    should be removed, and all those remaining should be examined for possible

    security vulnerabilities.



    It is also important to ensure that all child processes of httpd are

    running as a non-privileged user.  This is often a configurable option.

    See the documentation for your httpd distribution for more details.



    Numerous resources relating to WWW security are available.  The following

    pages provide a useful starting point.  They include links describing

    general WWW security, secure httpd setup and secure CGI programming.



        The World Wide Web Security FAQ:

                http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html



        NSCA's "Security Concerns on the Web" Page:

                http://hoohoo.ncsa.uiuc.edu/security/



    The following book contains useful information including sections on

    secure programming techniques.



        "Practical Unix & Internet Security", Simson Garfinkel and

        Gene Spafford, 2nd edition, O'Reilly and Associates, 1996.



    Please note that the URLs referenced in this advisory are not under

    AUSCERT's control and therefore AUSCERT cannot be responsible for their

    availability or content.  Please contact the administrator of the site in

    question if you encounter any difficulties with the above sites.



- -----------------------------------------------------------------------------

AUSCERT thanks Jeff Uphoff of NRAO, IBM-ERS, NASIRC and Wolfgang Ley of

DFN-CERT for their assistance.

- -----------------------------------------------------------------------------



The AUSCERT team have made every effort to ensure that the information

contained in this document is accurate.  However, the decision to use the

information described is the responsibility of each user or organisation.

The appropriateness of this document for an organisation or individual system

should be considered before application in conjunction with local policies

and procedures.  AUSCERT takes no responsibility for the consequences of

applying the contents of this document.



==============================================================================



CERT Contact Information

- ------------------------

If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in the Forum of Incident

Response and Security Teams (FIRST).



We strongly urge you to encrypt any sensitive information you send by email.

The CERT Coordination Center can support a shared DES key and PGP. Contact the

CERT staff for more information.



Location of CERT PGP key

         http://info.cert.org/pub/CERT_PGP.key





Email    cert@cert.org



Phone    +1 412-268-7090 (24-hour hotline)

                CERT personnel answer 8:30-5:00 p.m. EST

                (GMT-5)/EDT(GMT-4), and are on call for

                emergencies during other hours.



Fax      +1 412-268-6989



Postal address

        CERT Coordination Center

        Software Engineering Institute

        Carnegie Mellon University

        Pittsburgh PA 15213-3890

        USA



To be added to our mailing list for CERT advisories and bulletins, send your

email address to

        cert-advisory-request@cert.org



CERT publications, information about FIRST representatives, and other

security-related information are available for anonymous FTP from

        http://info.cert.org/pub/



CERT advisories and bulletins are also posted on the USENET newsgroup

        comp.security.announce



- ------------------------------------------------------------------------------



Copyright 1996,1997 Carnegie Mellon University. Conditions for use,

disclaimers, and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.



CERT is registered in the U.S. Patent and Trademark Office.





============================================================================

UPDATES



Similar attacks may succeed against other cgi scripts if the scripts

are written without appropriate care regarding security issues. We

encourage sites to evaluate all programs in their cgi-bin directory

and remove any scripts that are not in active use.



We would like to point out that along with "phf" we have received

reports that "php" programs are also being exploited.





CERT/CC received the following update from NASIRC concerning the

vulnerability described in this advisory:



NEW INFORMATION



   The routine "escape_shell_cmd()" also occurs in the file

   "src/util.c". Note that the files "cgi-src/util.c" and

   "src/util.c" are not identical, however they both contain an

   identical copy of the routine "escape_shell_cmd()", which has the

   vulnerability.  The file "src/util.c" is used to build the HTTP

   daemon, therefore the "newline" hole exists within the server.



   PATCH



   The patch recommended by NCSA modifies the routine

   "escape_shell_cmd()" to expand the list of characters that it

   will escape.  In the routine "escape_shell_cmd()", the line:



                   if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){



   Must be changed to:



                   if(ind("&;`'\"|*?~<>^()[]{}$\\\n",cmd[x]) != -1){





   NCSA HTTPD 1.5.1



   Instead of patching the source, the most up-to-date version of

   NCSA HTTPd source may be downloaded from:



http://ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/current/httpd_1.5.1-export_source.tar.Z



   MD5 (httpd_1.5.1-export_source.tar.Z) = bcf1fd410b5839c51dc75816a155fbb8



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Revision history



Sep. 24, 1997  Updated copyright statement

June 4, 1997   Updates section - added information about other cgi programs

               being exploited.

Aug. 30, 1996  Information previously in the README was inserted into the

               advisory.

Apr. 17, 1996  Updates section - added new information provided by the

               NASA Automated Systems Incident Response Capability (NASIRC).





-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBTBH1r9kb5qlZHQEQLQxACgl4LoMAtcMD5S4ahQn7ChlddNMqIAoJqX

J7eaPqMFoITXvOZEpczih/rY

=8Mx1

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.