Date: 27 August 1997
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-97.14 AUSCERT Advisory
SGI IRIX webdist.cgi Vulnerability
7 May 1997
Last Revised: -- 27 August 1997
Changed Section 3 to include vendor patch and bulletin
information.
A complete revision history is at the end of this file.
- ---------------------------------------------------------------------------
AUSCERT has received information of a security vulnerability in the
webdist.cgi cgi-bin program, part of the IRIX Mindshare Out Box package,
available with IRIX 5.x and 6.x. By exploiting this vulnerability, both
local and remote users may be able to execute arbitrary commands with the
privileges of the httpd daemon. This may be used to compromise the http
server and under certain configurations gain privileged access.
Vendor patches have been released addressing this vulnerability.
AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
This advisory will be updated as more information becomes available.
Note: Development of this advisory was a joint effort of the CERT
Coordination Center and AUSCERT. This material was also released as
CERT Advisory CA-97.12.
- ---------------------------------------------------------------------------
1. Description
A security vulnerability has been reported in the webdist.cgi cgi-bin
program available with IRIX 5.x and 6.x. webdist.cgi is part of the
IRIX Mindshare Out Box software package, which allows users to install
software over a network via a World Wide Web interface.
webdist.cgi allows webdist(1) to be used via an HTML form interface
defined in the file webdist.html, which is installed in the default
document root directories for both the Netsite and Out Box servers.
Due to insufficient checking of the arguments passed to webdist.cgi,
it may be possible to execute arbitrary commands with the privileges
of the httpd daemon. This is done via the webdist program.
When installed, webdist.cgi is accessible by anyone who can connect to
the httpd daemon. Because of this, the vulnerability may be exploited by
remote users as well as local users. Even if a site's webserver is
behind a firewall, it may still be vulnerable.
Determining if your site is vulnerable
--------------------------------------
All sites are encouraged to check their systems for the IRIX Mindshare
Out Box software package, and in particular the Webdist Software
package which is a subsystem of the Mindshare Out Box software package.
To determine if this package is installed, use the command:
# versions outbox.sw.webdist
I = Installed, R = Removed
Name Date Description
I outbox 11/06/96 Outbox Environment, 1.2
I outbox.sw 11/06/96 Outbox End-User Software, 1.2
I outbox.sw.webdist 11/06/96 Web Software Distribution Tools, 1.2
2. Impact
Local and remote users may be able to execute arbitrary commands on
the HTTP server with the privileges of the httpd daemon. This may be
used to compromise the http server and, under certain configurations,
gain privileged access.
3. Workarounds/Solution
Official vendor patches have been released by Silicon Graphics which
address this vulnerability (Section 3.3).
If the patches recommended by Silicon Graphics cannot be applied,
AUSCERT recommends that sites prevent the exploitation of this
vulnerability by immediately applying the workaround given in Sections
3.1 or 3.2.
3.1 Remove execute permissions
Sites should immediately remove the execute permissions on the
webdist.cgi program to prevent its exploitation. By default,
webdist.cgi is found in /var/www/cgi-bin/, but sites should check all
cgi-bin directories for this program.
# ls -l /var/www/cgi-bin/webdist.cgi
-rwxr-xr-x 1 root sys 4438 Nov 6 12:44 /var/www/cgi-bin/webdist.cgi
# chmod 400 /var/www/cgi-bin/webdist.cgi
# ls -l /var/www/cgi-bin/webdist.cgi
-r-------- 1 root sys 4438 Nov 6 12:44 /var/www/cgi-bin/webdist.cgi
Note that this will prevent all users from using the webdist program
from the HTML form interface.
3.2 Remove outbox.sw.webdist subsystem
If the Webdist software is not required, we recommend that sites remove
it completely from their systems. This can be done with the command:
# versions remove outbox.sw.webdist
Sites can check that the package has been removed with the command:
# versions outbox.sw.webdist
3.3 Install vendor patches
Silicon Graphics has released patches which address the vulnerability
described in this advisory. AUSCERT recommends that sites apply theses
patches as soon as possible.
Operating System Vulnerable? Patch # Other Actions
~~~~~~~~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~ ~~~~~~~~~~~~~
IRIX 3.x no
IRIX 4.x no
IRIX 5.0.x no
IRIX 5.1.x no
IRIX 5.2 no
IRIX 5.3 yes 2315
IRIX 6.0.x yes not avail Note 1
IRIX 6.1 yes not avail Note 1
IRIX 6.2 yes 2314
IRIX 6.3 yes 2338
IRIX 6.4 yes 2338
Notes:
1) upgrade the operating system or apply the workaround given in
Section 3.1 or 3.2.
These patches can be retrieved from:
http://www.sgi.com/Support/Secur/security.html
Silicon Graphics has also released a security bulletin containing
information on the above patches. The original release of this bulletin
can be retrieved from:
ftp://sgigate.sgi.com/security/19970501-02-PX
4. Additional Measures
Sites should consider taking this opportunity to examine their entire
httpd configuration. In particular, all CGI programs that are not
required should be removed, and all those remaining should be examined
for possible security vulnerabilities.
It is also important to ensure that all child processes of httpd are
running as a non-privileged user. This is often a configurable option.
See the documentation for your httpd distribution for more details.
Numerous resources relating to WWW security are available. The
following pages may provide a useful starting point. They include
links describing general WWW security, secure httpd setup, and secure
CGI programming.
The World Wide Web Security FAQ:
http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html
NSCA's "Security Concerns on the Web" Page:
http://hoohoo.ncsa.uiuc.edu/security/
The following book contains useful information including sections on
secure programming techniques.
_Practical Unix & Internet Security_, Simson Garfinkel and
Gene Spafford, 2nd edition, O'Reilly and Associates, 1996.
Please note that the CERT/CC and AUSCERT do not endorse the URLs that
appear above. If you have any problems with these sites, please contact
the site administrator.
- -----------------------------------------------------------------------------
This advisory is a collaborative effort between AUSCERT and the CERT
Coordination Center. This material was also released as CERT Advisory
CA-97.12.
We thank Yuri Volobuev for reporting this problem. We also thank Martin
Nicholls (The University of Queensland) and Ian Farquhar for their
assistance in further understanding this problem and its solution.
- -----------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
Prentice Centre
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
27 Aug, 1997 Silicon Graphics released a security bulletin
addressing the vulnerability described in this advisory.
Section 3 has been modified to include vendor patch
information.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBNAaZvSh9+71yA2DNAQGrsAP/YOKYkqSBzoi9tbFE2Ygki6PPE9bi7CNU
q8g7cL7h/BI8Um00w11OmNR+50/wUWiZ91ZWGg0OB5YEMGmLjYda7f+wjzd5psF9
CqaqnJle77DnoLJNPCHiwvZXc8nBojwfla7AmgUi+Kf8GMKNVUfb/NiMmSRD5AS6
MS5wXo0OYMI=
=JQAF
-----END PGP SIGNATURE-----
|