[ SOURCE: http://www.secureroot.com/security/advisories/9640308338.html ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= CERT* Advisory CA-97.12 Original issue date: May 6, 1997 Last Revised: September 26, 1997 Updated copyright statement A complete revision history is at the end of this file. Topic: Vulnerability in webdist.cgi - ----------------------------------------------------------------------------- The CERT Coordination Center has received reports of a security vulnerability in the webdist.cgi cgi-bin program, part of the IRIX Mindshare Out Box package, available with IRIX 5.x and 6.x. By exploiting this vulnerability, both local and remote users may be able to execute arbitrary commands with the privileges of the httpd daemon. This may be used to compromise the http server and under certain configurations gain privileged access. Vendor patches are now available from Silicon Graphics Inc. We encourage you to apply patches as soon as possible. For more information, refer to the Silicon Graphics Inc. Security Advisory Number 19970501-02-PX. The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its mirror, ftp.sgi.com. Security information and patches can be found in the ~ftp/security and ~ftp/patches directories, respectively. We will update this advisory as we receive additional information. Please check our advisory files regularly for updates that relate to your site. Note: Development of this advisory was a joint effort of the CERT Coordination Center and AUSCERT. This material was also released as AUSCERT advisory AA-97.14. - ----------------------------------------------------------------------------- I. Description A security vulnerability has been reported in the webdist.cgi cgi-bin program available with IRIX 5.x and 6.x. webdist.cgi is part of the IRIX Mindshare Out Box software package, which allows users to install software over a network via a World Wide Web interface. webdist.cgi allows webdist(1) to be used via an HTML form interface defined in the file webdist.html, which is installed in the default document root directories for both the Netsite and Out Box servers. Due to insufficient checking of the arguments passed to webdist.cgi, it may be possible to execute arbitrary commands with the privileges of the httpd daemon. This is done via the webdist program. When installed, webdist.cgi is accessible by anyone who can connect to the httpd daemon. Because of this, the vulnerability may be exploited by remote users as well as local users. Even if a site's webserver is behind a firewall, it may still be vulnerable. Determining if your site is vulnerable -------------------------------------- All sites are encouraged to check their systems for the IRIX Mindshare Out Box software package, and in particular the Webdist Software package which is a subsystem of the Mindshare Out Box software package. To determine if this package is installed, use the command: # versions outbox.sw.webdist I = Installed, R = Removed Name Date Description I outbox 11/06/96 Outbox Environment, 1.2 I outbox.sw 11/06/96 Outbox End-User Software, 1.2 I outbox.sw.webdist 11/06/96 Web Software Distribution Tools, 1.2 II. Impact Local and remote users may be able to execute arbitrary commands on the HTTP server with the privileges of the httpd daemon. This may be used to compromise the http server and under certain configurations gain privileged access. III. Solution Vendor patches are available from Silicon Graphics Inc. We encourage you to apply patches as soon as possible. For more information, refer to the Silicon Graphics Inc. Security Advisory Number 19970501-02-PX, which is available from the SGI anonymous FTP site ftp://sgigate.sgi.com or its mirror, ftp://ftp.sgi.com Security information and patches can be found in the ~ftp/security and ~ftp/patches directories, respectively. You can also prevent the exploitation of this vulnerability by applying the workaround given in Section III.A or removing the package from your systems (Section III.B). A. Remove execute permissions Sites should immediately remove the execute permissions on the webdist.cgi program to prevent its exploitation. By default, webdist.cgi is found in /var/www/cgi-bin/, but sites should check all cgi-bin directories for this program. # ls -l /var/www/cgi-bin/webdist.cgi -rwxr-xr-x 1 root sys 4438 Nov 6 12:44 /var/www/cgi-bin/webdist.cgi # chmod 400 /var/www/cgi-bin/webdist.cgi # ls -l /var/www/cgi-bin/webdist.cgi -r-------- 1 root sys 4438 Nov 6 12:44 /var/www/cgi-bin/webdist.cgi Note that this will prevent all users from using the webdist program from the HTML form interface. B. Remove outbox.sw.webdist subsystem If the Webdist software is not required, we recommend that sites remove it completely from their systems. This can be done with the command: # versions remove outbox.sw.webdist Sites can check that the package has been removed with the command: # versions outbox.sw.webdist IV. Additional Measures Sites should consider taking this opportunity to examine their entire httpd configuration. In particular, all CGI programs that are not required should be removed, and all those remaining should be examined for possible security vulnerabilities. It is also important to ensure that all child processes of httpd are running as a non-privileged user. This is often a configurable option. See the documentation for your httpd distribution for more details. Numerous resources relating to WWW security are available. The following pages may provide a useful starting point. They include links describing general WWW security, secure httpd setup, and secure CGI programming. The World Wide Web Security FAQ: http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html NSCA's "Security Concerns on the Web" Page: http://hoohoo.ncsa.uiuc.edu/security/ The following book contains useful information including sections on secure programming techniques. _Practical Unix & Internet Security_, Simson Garfinkel and Gene Spafford, 2nd edition, O'Reilly and Associates, 1996. Please note that the CERT/CC and AUSCERT do not endorse the URLs that appear above. If you have any problems with these sites, please contact the site administrator. - ----------------------------------------------------------------------------- This advisory is a collaborative effort between AUSCERT and the CERT Coordination Center. This material was also released as AUSCERT advisory AA-97.14. We thank Yuri Volobuev for reporting this problem. We also thank Martin Nicholls (The University of Queensland) and Ian Farquhar for their assistance in further understanding this problem and its solution. - ----------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (see http://www.first.org/team-info/) CERT/CC Contact Information - ---------------------------- Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4) and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA Using encryption We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key Getting security information CERT publications and other security information are available from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address - ------------------------------------------------------------------------------ Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line. CERT is registered in the U.S. Patent and Trademark Office. - --------------------------------------------------------------------------- This file: ftp://info.cert.org/pub/cert_advisories/CA-97.12.webdist http://www.cert.org click on "CERT Advisories" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision history Seo. 26, 1997 Updated copyright statement May 07, 1997 Introduction - Corrected the AUSCERT advisory number. Acknowledgments - Corrected the AUSCERT advisory number and removed a company name. August 27, 1997 Introduction and Solution - Added patch information. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBOBS/oVr9kb5qlZHQEQJH6gCcCHGzQgnNfYSjicm+/FyPYgl9QDUAnRw7 kPCHmlN28VHzXM9T30jQT8QI =Xc4H -----END PGP SIGNATURE-----