In any case, I've changed this in cvs so as to avoid setting off any future false-alarms. ------------------------------------------------------------ Nathan Neulinger EMail: nneulat_private University of Missouri - Rolla Phone: (573) 341-4841 Computing Services Fax: (573) 341-4216 > -----Original Message----- > From: Neulinger, Nathan > Sent: Wednesday, April 23, 2003 11:59 AM > To: b0f www.b0f.net; bugtraqat_private > Cc: cgiwrap-usersat_private > Subject: [cgiwrap-users] RE: Format strings vuln in CGIwrap > > > This is not a security problem. This is a case of using an automated > tool to find these vulnerabilites and not attempting to understand the > code itself. > > Nowhere in the code is MSG_Error_General() passed anything > other than a > static compiled-into-the-executable string. It's purely a utility > function to wrap common error text/footer/etc. around a > generic string. > > -- Nathan > > ------------------------------------------------------------ > Nathan Neulinger EMail: nneulat_private > University of Missouri - Rolla Phone: (573) 341-4841 > Computing Services Fax: (573) 341-4216 > > > > -----Original Message----- > > From: security-bounces+nneul=umr.eduat_private > > [mailto:security-bounces+nneul=umr.eduat_private] On > > Behalf Of b0f www.b0f.net > > Sent: Wednesday, April 23, 2003 11:06 AM > > To: bugtraqat_private > > Subject: Format strings vuln in CGIwrap > > > > > > > > > > A locally and possibly remotely exploitable format > > strings bug exists > > in cgiwrap available from > > http://cgiwrap.sourceforge.net/ > > http://sourceforge.net/projects/cgiwrap > > http://www.freebsd.org/ports/security.html > > > > I. BACKGROUND > > > > This is CGIWrap - a gateway that allows more secure > > user access to > > CGI programs on an HTTPd server than is provided by the > > http server > > itself. The primary function of CGIWrap is to make > > certain that > > any CGI script runs with the permissions of the user > > who installed > > it, and not those of the server. > > > > CGIWrap works with NCSA httpd, Apache, CERN httpd, > > NetSite Commerce > > and Communications servers, and probably any other Unix > > based web > > server software that supports CGI. > > > > II. DESCRIPTION > > > > On line 91 of msgs.c the printf() function is used > > incorrectly. Which > > results > > in a format strings vulnerability. > > <snip> > > void MSG_Error_General(char *message) > > { > > MSG_Header("CGIWrap Error", message); > > printf(message); > > MSG_Footer(); > > exit(1); > > } > > </snip> > > > > The binaries in cgiwrap, (cgiwrap and nph-cgiwrap) are > > installed setuid > > root. > > Thus could make this format problem exploitable locally > > to gain root > > privs or > > possably remotely to gain root or the privs of the user > > who owns the cgi > > script. > > > > III. ANALYSIS > > An attacker could exploit this issue to escalate privs > > locally or > > remotely on > > a server running cgiwrap. > > > > IV. DETECTION > > > > This is vulnerable in the latest version of cgiwrap > > version 3.7.1 and > > properly > > older versions(not checked). It would be exploitable on > > any Linux/Unix > > based OS > > running cgiwrap > > > > V. VENDOR > > The vendor has not been contacted about this issue. > > > > Regards > > b0f (Alan M) > > www.b0f.net > > _______________________________________________ > > UMR Security List Exploder > > securityat_private > > https://lists.umr.edu/mailman/listinfo/security > > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > cgiwrap-users mailing list > cgiwrap-usersat_private > https://lists.sourceforge.net/lists/listinfo/cgiwrap-users >
This archive was generated by hypermail 2b30 : Wed Apr 23 2003 - 12:10:18 PDT