home *** CD-ROM | disk | FTP | other *** search
-
- -----BEGIN PGP SIGNED MESSAGE-----
-
- =============================================================================
- CERT* Advisory CA-97.12
- Original issue date: May 6, 1997
- Last revised: May 7, 1997
- Introduction - Corrected the AUSCERT advisory number.
- Acknowledgments - Corrected the AUSCERT advisory number
- and removed a company name.
-
- Topic: Vulnerability in webdist.cgi
- - -----------------------------------------------------------------------------
-
- The CERT Coordination Center has received reports of a security
- vulnerability in the webdist.cgi cgi-bin program, part of the IRIX
- Mindshare Out Box package, available with IRIX 5.x and 6.x. By exploiting
- this vulnerability, both local and remote users may be able to execute
- arbitrary commands with the privileges of the httpd daemon. This may be
- used to compromise the http server and under certain configurations gain
- privileged access.
-
- Currently there are no official vendor patches available which address the
- vulnerability described in this advisory. We recommend that sites prevent
- the exploitation of this vulnerability by immediately applying the workaround
- given in Section III.A. If the package is not required, we recommend
- removing it from their systems.
-
- When patches are made available, they should be applied as soon as possible.
-
- We will update this advisory as we receive additional information.
- Please check our advisory files regularly for updates that relate to your
- site.
-
- Note: Development of this advisory was a joint effort of the CERT Coordination
- Center and AUSCERT. This material was also released as AUSCERT advisory
- AA-97.14.
- - -----------------------------------------------------------------------------
-
- I. Description
-
- A security vulnerability has been reported in the webdist.cgi cgi-bin
- program available with IRIX 5.x and 6.x. webdist.cgi is part of the
- IRIX Mindshare Out Box software package, which allows users to install
- software over a network via a World Wide Web interface.
-
- webdist.cgi allows webdist(1) to be used via an HTML form interface
- defined in the file webdist.html, which is installed in the default
- document root directories for both the Netsite and Out Box servers.
-
- Due to insufficient checking of the arguments passed to webdist.cgi, it
- may be possible to execute arbitrary commands with the privileges of
- the httpd daemon. This is done via the webdist program.
-
- When installed, webdist.cgi is accessible by anyone who can connect to
- the httpd daemon. Because of this, the vulnerability may be exploited by
- remote users as well as local users. Even if a site's webserver is
- behind a firewall, it may still be vulnerable.
-
- Determining if your site is vulnerable
- --------------------------------------
- All sites are encouraged to check their systems for the IRIX Mindshare
- Out Box software package, and in particular the Webdist Software
- package which is a subsystem of the Mindshare Out Box software
- package. To determine if this package is installed, use the command:
-
- # versions outbox.sw.webdist
-
- I = Installed, R = Removed
-
- Name Date Description
-
- I outbox 11/06/96 Outbox Environment, 1.2
- I outbox.sw 11/06/96 Outbox End-User Software, 1.2
- I outbox.sw.webdist 11/06/96 Web Software Distribution Tools, 1.2
-
-
- II. Impact
-
- Local and remote users may be able to execute arbitrary commands on
- the HTTP server with the privileges of the httpd daemon. This may be
- used to compromise the http server and under certain configurations
- gain privileged access.
-
-
- III. Solution
-
- Currently there are no official vendor patches available which address
- the vulnerability described in this advisory. We recommend that
- sites prevent the exploitation of this vulnerability by immediately
- applying the workaround given in Section III.A or removing the
- package from their systems (Section III.B).
-
- When patches are available, we recommend that sites apply them
- as soon as possible.
-
-
- A. Remove execute permissions
-
- Sites should immediately remove the execute permissions on the
- webdist.cgi program to prevent its exploitation. By default, webdist.cgi
- is found in /var/www/cgi-bin/, but sites should check all cgi-bin
- directories for this program.
-
- # ls -l /var/www/cgi-bin/webdist.cgi
- -rwxr-xr-x 1 root sys 4438 Nov 6 12:44 /var/www/cgi-bin/webdist.cgi
-
- # chmod 400 /var/www/cgi-bin/webdist.cgi
-
- # ls -l /var/www/cgi-bin/webdist.cgi
- -r-------- 1 root sys 4438 Nov 6 12:44 /var/www/cgi-bin/webdist.cgi
-
-
- Note that this will prevent all users from using the webdist
- program from the HTML form interface.
-
-
- B. Remove outbox.sw.webdist subsystem
-
- If the Webdist software is not required, we recommend that sites remove
- it completely from their systems. This can be done with the command:
-
- # versions remove outbox.sw.webdist
-
- Sites can check that the package has been removed with the command:
-
- # versions outbox.sw.webdist
-
-
- IV. Additional Measures
-
- Sites should consider taking this opportunity to examine their entire
- httpd configuration. In particular, all CGI programs that are not
- required should be removed, and all those remaining should be examined
- for possible security vulnerabilities.
-
- It is also important to ensure that all child processes of httpd are
- running as a non-privileged user. This is often a configurable option.
- See the documentation for your httpd distribution for more details.
-
- Numerous resources relating to WWW security are available. The following
- pages may provide a useful starting point. They include links describing
- general WWW security, secure httpd setup, and secure CGI programming.
-
- The World Wide Web Security FAQ:
- http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html
-
- NSCA's "Security Concerns on the Web" Page:
- http://hoohoo.ncsa.uiuc.edu/security/
-
- The following book contains useful information including sections on
- secure programming techniques.
-
- _Practical Unix & Internet Security_, Simson Garfinkel and
- Gene Spafford, 2nd edition, O'Reilly and Associates, 1996.
-
- Please note that the CERT/CC and AUSCERT do not endorse the URLs that
- appear above. If you have any problems with these sites, please contact
- the site administrator.
-
-
- - -----------------------------------------------------------------------------
- This advisory is a collaborative effort between AUSCERT and the CERT
- Coordination Center. This material was also released as AUSCERT advisory
- AA-97.14.
-
- We thank Yuri Volobuev for reporting this problem. We also thank Martin
- Nicholls (The University of Queensland) and Ian Farquhar for their assistance
- in further understanding this problem and its solution.
- - -----------------------------------------------------------------------------
-
- If you believe that your system has been compromised, contact the CERT
- Coordination Center or your representative in the Forum of Incident Response
- and Security Teams (see http://www.first.org/team-info/)
-
-
- CERT/CC Contact Information
- - ----------------------------
- Email cert@cert.org
-
- Phone +1 412-268-7090 (24-hour hotline)
- CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
- and are on call for emergencies during other hours.
-
- Fax +1 412-268-6989
-
- Postal address
- CERT Coordination Center
- Software Engineering Institute
- Carnegie Mellon University
- Pittsburgh PA 15213-3890
- USA
-
- Using encryption
- We strongly urge you to encrypt sensitive information sent by email. We can
- support a shared DES key or PGP. Contact the CERT/CC for more information.
- Location of CERT PGP key
- ftp://info.cert.org/pub/CERT_PGP.key
-
- Getting security information
- CERT publications and other security information are available from
- http://www.cert.org/
- ftp://info.cert.org/pub/
-
- CERT advisories and bulletins are also posted on the USENET newsgroup
- comp.security.announce
-
- To be added to our mailing list for advisories and bulletins, send
- email to
- cert-advisory-request@cert.org
- In the subject line, type
- SUBSCRIBE your-email-address
-
- - ---------------------------------------------------------------------------
- * Registered U.S. Patent and Trademark Office.
-
- Copyright 1997 Carnegie Mellon University
- This material may be reproduced and distributed without permission provided
- it is used for noncommercial purposes and the copyright statement is
- included.
-
- The CERT Coordination Center is part of the Software Engineering Institute
- (SEI). The SEI is sponsored by the U.S. Department of Defense.
- - ---------------------------------------------------------------------------
-
- This file: ftp://info.cert.org/pub/cert_advisories/CA-97.12.webdist
- http://www.cert.org
- click on "CERT Advisories"
-
-
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Revision history
-
- May 07, 1997 Introduction - Corrected the AUSCERT advisory number.
- Acknowledgments - Corrected the AUSCERT advisory number
- and removed a company name.
-
-
-
-
- -----BEGIN PGP SIGNATURE-----
- Version: 2.6.2
-
- iQCVAwUBM2/KU3VP+x0t4w7BAQGFMwP+Jnkc1P918RhF5HXa1itPn7z/Diz8VRTG
- hIugc9pMWsLtX2ibmxfAlZKB1oQyRLu/hDfvwqy83x8aqde3IWkwnIYUEnK8o1Gr
- hTrsD/iZ7VZUs59FHqZGy1htBdIy9xTIPVs+8a0gHrZTb0SYiNdhVzwCvr+Hbp5I
- M2alMpn2TUE=
- =A7Vq
- -----END PGP SIGNATURE-----
-
-