HTTP CGI Gives Information

Impact

If a malicious user is able to exploit this vulnerability, he or she may be able acquire information about the Web-server and system settings of the exploited system. In certain circumstances, a hacker may even be able to gather information about user accounts on the affected system. A malicious user may then be able to gain unauthorized access to the system using this information (remember, a hacker's best weapon is knowledge!) For example, if a hacker is able to learn information about the operating system of the target, he or she will then be able to gear certain attacks (such as buffer overflows) towards that specific operating system.

Background

The HyperText Transport Protocol (HTTP) allows a client to access HTML pages and other web applications using a web browser. HTTP servers contain programs called CGI scripts which perform functions on the server at the request of the client (when a form is submitted, for example) and transmit results to the client's browser in the form of an HTML page.

The Problems

Various programs which may be installed with certain Web servers are vulnerable to exploitation by hackers. These include: test-cgi:
CVE 1999-0070

When an Apache web server is installed, the test-cgi program is installed by default. The installation of this program creates a security hole on the system, as it indiscriminately gives out various system information, such as the directory in which the Web server resides, the OS of the system and even the directory structure of the system. There are some versions of the test-cgi program which are not vulnerable to probing by a malicious user, and, of course, there are some versions which are. To determine if your version of test-cgi is vulnerable, use any standard text-editor (such as vi) to view the body of the program (which is written in standard shell script). If it contains the line of text found below, it is indeed vulnerable to probing by a malicious user:

If the test-cgi program is present in the Web server's /cgi-bin directory, it may be accessed and exploited using any Web browser. A hacker would simply have to type in the URL below to gain information about the target system:

dumpenv.pl:

This program, written in perl, displays general environment information about the system on which a Web server resides. This information may include the version of Web server software being used, path information and information about the system's directory settings.

nph-test-cgi:
CVE 1999-0045

By passing the proper arguments to this program, using any Web browser, a hacker may be able to read the contents of various directories on the target system (regardless of any security settings).

wwwboard.pl:
CVE 1999-0953

Older versions of wwwboard.pl scripts do not perform URL checking before accepting input. If a hacker passes the proper parameters to this particular program (via a form), he or she may be able to remove lists, corrupt various files and wreak general chaos on the Web-based message board. If the wwwboard.pl program is present on the system, SAINT will notify you of this fact (though not all versions of the program contain this vulnerability).

wrap:
CVE 1999-0149

The HTTP (or Web) server shipped with IRIX 6.x comes installed with a perl script named wrap. A hacker may use this program to view a listing of any directory on the target system with a mode setting of 755, which is, in standard UNIX notation, "--rwxr-xr-x". This means that the directory will have read, write and & execute permissions at the user level and read and execute permissions for the group and world levels. The wrap program is part of the Outbox subsystem installed by default with the HTTP server (beginning with IRIX version 6.2). This vulnerability is often exploited as an information gathering tool in conjunction with the other vulnerabilities discussed in this tutorial.

finger:

The finger CGI is a program which uses the finger binary to display information about user accounts on a system (this is done via the Web server). This information may contain such things as the type of shell associated with user accounts, login names, last login date and other information a hacker might find useful. This information, if released, might well prove invaluable to a hacker attempting to gain unauthorized access to a target system.

Resolutions

test-cgi:

The best solution for this vulnerability is to remove the test.cgi program!. If this is not feasible, simply add quotes to the offending line (see the example below).

dumpenv.pl:

It is highly recommended that you remove the dumpenv.pl: program from your Web server's /cgi-bin directory. At the very least, you should set some type of access restrictions for this particular program. You may wish to, for example, place the program in a password protected directory. For further protection, you may also wish to restrict which IP addresses may access this program (for information on how to enable password and IP address restrictions, see your Web server's documentation).

nph-test-cgi:

To eliminate this vulnerability, tt is we recommend that you remove this program from the /cgi-bin directory.

wwwboard.pl:

The fix for this vulnerability is to download and install the latest version of wwwboard.pl. Or, if this particular program is not being used, simply remove it from your Web server's /cgi-bin directory.

wrap:

A patch has been issued by Silicon Graphics which corrects the problems found in this program. If the patch cannot be installed, you may apply one of the following workarounds:

1.  Change the permissions on the /cgi-bin/wrap:

2. Remove the Outbox Software

finger:

If the script is not being used, we strongly recommend that you remove it from the Web server's /cgi-bin directory.

Where can I read more about this?

You may read more about the test-cgi vulnerability at L0pht's Test-cgi Vulnerability page. Also, you may read more about the dumpenv.pl vulnerability at Alberta University's Dump Environment Vulnerability Web site.

For more information about the nph-test-cgi vulnerability, please read CERT Advisory 97.07 or visit NJH Security Consulting.

A good discussion of the wwwboard.pl problem may be found at this Bugtraq archive site. And, finally, you may read more about the wrap vulnerability at a variety of sites (listed below):