RE: Format strings vuln in CGIwrap

• Previous message: b0f www.b0f.net: "Format strings vuln in CGIwrap"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is not a security problem. This is a case of using an automated
tool to find these vulnerabilites and not attempting to understand the
code itself. 

Nowhere in the code is MSG_Error_General() passed anything other than a
static compiled-into-the-executable string. It's purely a utility
function to wrap common error text/footer/etc. around a generic string.

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneulat_private
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216


> -----Original Message-----
> From: security-bounces+nneul=umr.eduat_private 
> [mailto:security-bounces+nneul=umr.eduat_private] On 
> Behalf Of b0f www.b0f.net
> Sent: Wednesday, April 23, 2003 11:06 AM
> To: bugtraqat_private
> Subject: Format strings vuln in CGIwrap
> 
> 
> 
> 
> A locally and possibly remotely exploitable format
> strings bug exists 
> in cgiwrap available from  
> http://cgiwrap.sourceforge.net/
> http://sourceforge.net/projects/cgiwrap
> http://www.freebsd.org/ports/security.html 
> 
> I. BACKGROUND
> 
> This is CGIWrap - a gateway that allows more secure
> user access to
> CGI programs on an HTTPd server than is provided by the
> http server
> itself. The primary function of CGIWrap is to make
> certain that
> any CGI script runs with the permissions of the user
> who installed
> it, and not those of the server.
> 
> CGIWrap works with NCSA httpd, Apache, CERN httpd,
> NetSite Commerce
> and Communications servers, and probably any other Unix
> based web
> server software that supports CGI.
> 
> II. DESCRIPTION
> 
> On line 91 of msgs.c the printf() function is used
> incorrectly. Which 
> results
> in a format strings vulnerability.
> <snip>
> void MSG_Error_General(char *message)
> {
>         MSG_Header("CGIWrap Error", message);
>         printf(message); 
>         MSG_Footer();
>         exit(1);
> }
> </snip>
> 
> The binaries in cgiwrap, (cgiwrap and nph-cgiwrap) are
> installed setuid 
> root.
> Thus could make this format problem exploitable locally
> to gain root 
> privs or
> possably remotely to gain root or the privs of the user
> who owns the cgi 
> script.
> 
> III. ANALYSIS
> An attacker could exploit this issue to escalate privs
> locally or 
> remotely on
> a server running cgiwrap.
> 
> IV. DETECTION
> 
> This is vulnerable in the latest version of cgiwrap
> version 3.7.1 and 
> properly
> older versions(not checked). It would be exploitable on
> any Linux/Unix 
> based OS
> running cgiwrap 
> 
> V. VENDOR
> The vendor has not been contacted about this issue.
> 
> Regards
> b0f  (Alan M)
> www.b0f.net
> _______________________________________________
> UMR Security List Exploder
> securityat_private
> https://lists.umr.edu/mailman/listinfo/security
> 

• Next message: Martin Schulze: "[SECURITY] [DSA 294-1] New gkrellm-newsticker packages fix DoS and arbitrary command execution"
• Previous message: b0f www.b0f.net: "Format strings vuln in CGIwrap"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 23 2003 - 10:06:30 PDT