[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Unixware SCOhelp http server format string vulnerability

Title: Unixware SCOhelp http server format string vulnerability
Released by: CORE SDI
Date: 27th September 2000
Printable version: Click here 
                                               CORE SDI Inc.

                                       http://www.core-sdi.com



              Unixware SCOhelp http server format string vulnerability





Date Published: 09/27/00



Advisory ID: CORE-092700



Bugtraq ID: 1717



CVE CAN: None currently assigned.



Title: Unixware SCOhelp http server format string vulnerability



Class: Input validation error



Remotely Exploitable: Yes



Locally Exploitable: Yes



Vulnerability Description:



 SCO Unixware 7 default installation includes scohelp, an http

 server that listens on port 457/tcp and allows access to manual

 pages and other documentation files. The search CGI script provided

 for that purpose has a vulnerability that could allow any remote

 attacker to execute arbitrary code on the vulnerable machine with

 privileges of user "nobody".

 This poses a threat that could result in the remote compromise of

 the vulnerable host and provide a staging point from where an attacker

 could escalate privileges.





Vulnerable Packages/Systems:

 Unixware 7



Solution/Vendor Information/Workaround:



 Contact the vendor for a fix



 In the meantime, disabling the http server on port 457/tcp

 will prevent exploitation of the vulnerability. However, this

 will also make access to the documentation unavailable.



 The following is a workaround supplied by the vendor:

 To apply the workaround to your system you must:



 1) Log into the system as root



 2) cd /usr/ns-home/httpd-scohelphttp/search97



 3) mkdir ./securebin



 4) mv ./bin/vtopic ./securebin



 5) Using your favourite editor create a new version of vtopic

    in the /usr/ns-home/httpd-scohelphttp/search97/bin

    directory containing the following:

--------------------------------------------------------------------

#!/bin/sh

VERITYBIN=/usr/ns-home/httpd-scohelphttp/search97/bin

SECUREBIN=/usr/ns-home/httpd-scohelphttp/search97/securebin

configPath=$VERITYBIN/inetsrch.ini

export configPath



# If POST method, convert to QUERY_STRING

if [ -z "$QUERY_STRING" ]

then

        POST=1

        eval `$VERITYBIN/cgiparse -init`

else

        POST=0

fi



# Exit if not set

if [ -z "$QUERY_STRING" ]

then

        exit 1

fi



# Now strip out insecure character %25

QUERY_STRING=`echo "$QUERY_STRING" | sed "s/%25/+/g"`



# First check for multiple ViewTemplate fields

# which could fool vtopic

COUNT=`$VERITYBIN/cgiparse -count -value ViewTemplate 2> /dev/null`

if [ "$COUNT" -gt 1 ]

then

        exit 1

fi



# First check for multiple ResultTemplate fields

# which could fool vtopic

COUNT=`$VERITYBIN/cgiparse -count -value ResultTemplate 2> /dev/null`

if [ "$COUNT" -gt 1 ]

then

        exit 1

fi



# Now check for correct path in ViewTemplate if it has one

if echo "$QUERY_STRING" | egrep -i '&ViewTemplate=' > /dev/null 2>&1

then

        MATCH=`cgiparse -value ViewTemplate 2> /dev/null | egrep -i

'[-A-Za-z0-9_.]+/_SearchTemplates/docview.hts'`

        if [ -z "$MATCH" ]

        then

                exit 1

        fi

fi



# Now check for correct path in ResultTemplate if it has one

if echo "$QUERY_STRING" | egrep -i '&ResultTemplate=' > /dev/null 2>&1

then

        MATCH=`cgiparse -value ResultTemplate 2> /dev/null | egrep -i

'[-A-Za-z0-9_.]+/_SearchTemplates/result.hts'`

        if [ -z "$MATCH" ]

        then

                exit 1

        fi

fi



# OK, so proceed

if [ "$POST" -eq 1 ]

then

        export CONTENT_LENGTH

        echo "$QUERY_STRING" | $SECUREBIN/vtopic

else

        export QUERY_STRING

        $SECUREBIN/vtopic

fi

--------------------------------------------------------------------



6) chmod +x vtopic



This script acts as a wrapper to the vtopic binary and blocks

queries that can:



  1) Allow a remote user to request to view a world readable file

     like /etc/passwd



  2) Cause a failure like the one described in your email to SCO.





Vendor notified on: September 11th, 2000



Credits:



 This vulnerability was discovered by Juliano Rizzo of CORE SDI Inc.,

 Buenos Aires, Argentina.



 This advisory was drafted with the help of the SecurityFocus.com

 Vulnerability Help Team. For more information or assistance drafting

 advisories please mail vulnhelp@securityfocus.com.



 Fix information and the workaround was provided by the SCO Security Group

 It can be contacted at security-alert@sco.com



Technical Description - Exploit/Concept Code:



 There is a user supplied format string bug in the vtopic CGI script that

 could be abused to execute arbitrary code. By sending a request with the

 following URI:



  http://target:457/search97cgi/vtopic?Action=\

  FilterSearch&filter=&queryText=%25x



 The server will elicit the following response:

--

Internal error: STR_sprintf: Invalid format (Error E1-0142 (Query

Builder): Invalid character '%' (0x25))



Result

Search failed: -40



Result

Error E1-0142 (Query Builder): Invalid character '



Result

Error E1-0130 (Query Builder): Syntax error in query string near

character 1



Result

Error E1-0133 (Query Builder): Error parsing query: 81888e0



Result

VdkSearchNew failed, error -40



Result

Request failed for REQUEST_METHOD=, QUERY_STRING=



Component

Component (vsearch) failed in processing request, -2



Action

Action (FilterSearch) failed while processing request in component

(vsearch), -2



Service Manager

Action (FilterSearch) failed in processing request, -2

S97IS Service manager failed to process request

--



 Note the line:

  Error E1-0133 (Query Builder): Error parsing query: 81888e0



 This shows that the server is interpreting the %x argument passed in

 the URI as the "queryText" value. Supplying a carefully built value for

 the queryText argument an attacker can change the program flow and execute

 arbitrary code.



DISCLAIMER:



 The contents of this advisory are copyright (c) 2000 CORE SDI Inc. and may

 be distributed freely provided that no fee is charged for this distribution

 and proper credit is given.



$Id: SCOhelphttp-advisory.txt,v 1.6 2000/09/27 20:36:34 iarce Exp $

--

"Understanding. A cerebral secretion that enables one having it to know

 a house from a horse by the roof on the house,

 It's nature and laws have been exhaustively expounded by Locke,

 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce







==================[ CORE Seguridad de la Informacion S.A. ]=========

Iván Arce

Presidente

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A

email   : iarce@core-sdi.com

http://www.core-sdi.com

Pte. Juan D. Peron 315 Piso 4 UF 17

1038 Capital Federal

Buenos Aires, Argentina.              Tel/Fax : +(54-11) 4331-5402

Casilla de Correos 877 (1000) Correo Central

=====================================================================






(C) 1999-2000 All rights reserved.