[Search for users]
[Overall Top Noters]
[List of all Conferences]
[Download this site]
| Title: | SECURITY_ADVISORY |
| Notice: | Security is Everyone's Responsibility |
| Moderator: | MINOTR::NOBLE |
|
| Created: | Wed Dec 22 1993 |
| Last Modified: | Thu May 29 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 148 |
| Total number of notes: | 459 |
140.0. "Information Only: CERT CA097.12, webdist.cgi" by MINOTR::NOBLE (Your Data, Your Job...Protect Both) Thu May 08 1997 11:55
The Digital Corporate Information Security Group has received the
following external security notice. It should be noted that Digital
does not support the software identified, nor have the reported
problems been verified by Digital.
This third party notice is being provided as information only. No
security action is required. Nor is any recommendation being made with
regards the solution(s) identified.
Should you happen to be using the third party software impacted by
this notice, please use due discretion before implementing any or all
of the solution(s) identified.
If you are an internal user of the software impacted in this notice,
and have any questions regarding this notice, then please contact your
IT Cluster Security Manager. An up-to-date list can be found at URL
http://www-security.mko.dec.com/gen-info/sec-ops.html
-=<>=-
=============================================================================
CERT* Advisory CA-97.12
Original issue date: May 6, 1997
Last revised: --
Topic: Vulnerability in webdist.cgi
- -----------------------------------------------------------------------------
The CERT Coordination Center has received reports of a security
vulnerability in the webdist.cgi cgi-bin program, part of the IRIX
Mindshare Out Box package, available with IRIX 5.x and 6.x. By exploiting
this vulnerability, both local and remote users may be able to execute
arbitrary commands with the privileges of the httpd daemon. This may be
used to compromise the http server and under certain configurations gain
privileged access.
Currently there are no official vendor patches available which address the
vulnerability described in this advisory. We recommend that sites prevent
the exploitation of this vulnerability by immediately applying the workaround
given in Section III.A. If the package is not required, we recommend
removing it from their systems.
When patches are made available, they should be applied as soon as possible.
We will update this advisory as we receive additional information.
Please check our advisory files regularly for updates that relate to your
site.
Note: Development of this advisory was a joint effort of the CERT Coordination
Center and AUSCERT. This material was also released as AUSCERT advisory
AA-97.12.
- -----------------------------------------------------------------------------
I. Description
A security vulnerability has been reported in the webdist.cgi cgi-bin
program available with IRIX 5.x and 6.x. webdist.cgi is part of the
IRIX Mindshare Out Box software package, which allows users to install
software over a network via a World Wide Web interface.
webdist.cgi allows webdist(1) to be used via an HTML form interface
defined in the file webdist.html, which is installed in the default
document root directories for both the Netsite and Out Box servers.
Due to insufficient checking of the arguments passed to webdist.cgi, it
may be possible to execute arbitrary commands with the privileges of
the httpd daemon. This is done via the webdist program.
When installed, webdist.cgi is accessible by anyone who can connect to
the httpd daemon. Because of this, the vulnerability may be exploited by
remote users as well as local users. Even if a site's webserver is
behind a firewall, it may still be vulnerable.
Determining if your site is vulnerable
--------------------------------------
All sites are encouraged to check their systems for the IRIX Mindshare
Out Box software package, and in particular the Webdist Software
package which is a subsystem of the Mindshare Out Box software
package. To determine if this package is installed, use the command:
# versions outbox.sw.webdist
I = Installed, R = Removed
Name Date Description
I outbox 11/06/96 Outbox Environment, 1.2
I outbox.sw 11/06/96 Outbox End-User Software, 1.2
I outbox.sw.webdist 11/06/96 Web Software Distribution Tools, 1.2
II. Impact
Local and remote users may be able to execute arbitrary commands on
the HTTP server with the privileges of the httpd daemon. This may be
used to compromise the http server and under certain configurations
gain privileged access.
III. Solution
Currently there are no official vendor patches available which address
the vulnerability described in this advisory. We recommend that
sites prevent the exploitation of this vulnerability by immediately
applying the workaround given in Section III.A or removing the
package from their systems (Section III.B).
When patches are available, we recommend that sites apply them
as soon as possible.
A. Remove execute permissions
Sites should immediately remove the execute permissions on the
webdist.cgi program to prevent its exploitation. By default, webdist.cgi
is found in /var/www/cgi-bin/, but sites should check all cgi-bin
directories for this program.
# ls -l /var/www/cgi-bin/webdist.cgi
-rwxr-xr-x 1 root sys 4438 Nov 6 12:44 /var/www/cgi-bin/webdist.cgi
# chmod 400 /var/www/cgi-bin/webdist.cgi
# ls -l /var/www/cgi-bin/webdist.cgi
-r-------- 1 root sys 4438 Nov 6 12:44 /var/www/cgi-bin/webdist.cgi
Note that this will prevent all users from using the webdist
program from the HTML form interface.
B. Remove outbox.sw.webdist subsystem
If the Webdist software is not required, we recommend that sites remove
it completely from their systems. This can be done with the command:
# versions remove outbox.sw.webdist
Sites can check that the package has been removed with the command:
# versions outbox.sw.webdist
IV. Additional Measures
Sites should consider taking this opportunity to examine their entire
httpd configuration. In particular, all CGI programs that are not
required should be removed, and all those remaining should be examined
for possible security vulnerabilities.
It is also important to ensure that all child processes of httpd are
running as a non-privileged user. This is often a configurable option.
See the documentation for your httpd distribution for more details.
Numerous resources relating to WWW security are available. The following
pages may provide a useful starting point. They include links describing
general WWW security, secure httpd setup, and secure CGI programming.
The World Wide Web Security FAQ:
http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html
NSCA's "Security Concerns on the Web" Page:
http://hoohoo.ncsa.uiuc.edu/security/
The following book contains useful information including sections on
secure programming techniques.
_Practical Unix & Internet Security_, Simson Garfinkel and
Gene Spafford, 2nd edition, O'Reilly and Associates, 1996.
Please note that the CERT/CC and AUSCERT do not endorse the URLs that
appear above. If you have any problems with these sites, please contact
the site administrator.
- -----------------------------------------------------------------------------
This advisory is a collaborative effort between AUSCERT and the CERT
Coordination Center. This material was also released as AUSCERT advisory
AA-97.12.
We thank Yuri Volobuev for reporting this problem. We also thank Martin
Nicholls (The University of Queensland) and Ian Farquhar of Silicon Graphics,
Inc. for their assistance in further understanding this problem and its
solution.
- -----------------------------------------------------------------------------
- ---------------------------------------------------------------------------
* Registered U.S. Patent and Trademark Office.
Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is
included.
The CERT Coordination Center is part of the Software Engineering Institute
(SEI). The SEI is sponsored by the U.S. Department of Defense.
- ---------------------------------------------------------------------------
| T.R | Title | User | Personal
Name | Date | Lines
|
|---|