[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Buffer Overrun Vulnerability in Count.cgi cgi-bin Program

Title: Buffer Overrun Vulnerability in Count.cgi cgi-bin Program
Released by: CERT
Date: 5th November 1997
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



=============================================================================

CERT* Advisory CA-97.24

Original issue date: Nov. 05, 1997

Last revised: November 14, 1997

              UPDATES - Corrected a URL.



              A complete revision history is at the end of this file.



Topic:  Buffer Overrun Vulnerability in Count.cgi cgi-bin Program



- -----------------------------------------------------------------------------



   The text of this advisory was originally released on October 31, 1997, as

   AA-97.27, developed by the Australian Computer Emergency Response Team. To

   more widely broadcast this information, we are reprinting the AUSCERT

   advisory here with their permission. Only the contact information at the

   end has changed: AUSCERT contact information has been replaced with CERT/CC

   contact information.



   We will update this advisory as we receive additional information.

   Look for it in an "Updates" section at the end of the advisory.



=============================================================================



The Australian Computer Emergency Response Team (AUSCERT) has received

information that a buffer overrun vulnerability exists in the Count.cgi

cgi-bin program.



A new version of Count.cgi has been released addressing this vulnerability.



AUSCERT recommends that sites that have the Count.cgi cgi-bin program

installed take the steps outlined in Section 3 as soon as possible.



- - ---------------------------------------------------------------------------



1.  Description



    AUSCERT has received information that a vulnerability exists in the

    Count.cgi cgi-bin program.  The Count.cgi cgi-bin program is used to

    record and display the number of times a WWW page has been accessed.



    Due to insufficient bounds checking on arguments which are supplied

    by users, it is possible to overwrite the internal stack space of the

    Count.cgi program while it is executing.  By supplying a carefully

    designed argument to the Count.cgi program, intruders may be able to

    force Count.cgi to execute arbitrary commands with the privileges of

    the httpd process.



    The Count.cgi program is extremely widely used.  Sites are encouraged

    to check for its existence and its possible exploitation.



    To check whether exploitation of this vulnerability has been attempted

    at your site, search for accesses to the Count.cgi program in your

    access logs.  An example of how to do this is:



        # grep -i 'Count.cgi' {WWW_HOME}/logs/access_log



    Where, {WWW_HOME} is the base directory for your web server.



    If this command returns anything, further investigation is necessary.

    Specifically, look for accesses to Count.cgi that contain long strings

    of nonsensical characters.



    If sites find any evidence showing that they have been probed using

    this vulnerability, they are encouraged to report the incident to

    AUSCERT or their local incident response team.  Reports of all attacks

    help AUSCERT gain a better overview of intruder activity within the

    constituency.



2.  Impact



    Remote user may be able to execute arbitrary commands with the privileges

    of the httpd process which answers HTTP requests.  This may be used

    to compromise the http server and under certain configurations gain

    privileged access.



3.  Workarounds/Solution



    AUSCERT recommends that sites upgrade to the current version of

    Count.cgi (Section 3.1).  For sites that can not immediately install

    the current version of Count.cgi, it is recommended that the workaround

    described in Section 3.2 be applied.



3.1 Upgrade to the current Count.cgi version



    The author of Count.cgi has recently released version 2.4 which

    addresses the vulnerability described in this advisory.  AUSCERT

    recommends that sites upgrade to the latest version as soon as possible.

    The current version is available from:



        http://www.fccc.edu/users/muquit/Count.html





3.2 Remove execute permissions



    To prevent the exploitation of the vulnerability described in this

    advisory, AUSCERT recommends that the execute permissions be removed

    from Count.cgi immediately.  Note that this will have the side effect

    of preventing the page hit counter from being incremented and displayed

    on web pages using Count.cgi.  The remainder of such web pages should

    still display.



4.  Additional measures



    It is important to note that attacks similar to this may succeed

    against any CGI program which has not been written with due consideration

    for security.  Sites using HTTP servers, and in particular CGI

    applications, are encouraged to develop an understanding of the security

    issues involved.



    Sites should consider taking this opportunity to examine their httpd

    configuration and web servers.  In particular, all CGI programs that

    are not required should be removed, and all those remaining should be

    examined for possible security vulnerabilities.



    It is also important to ensure that all child processes of httpd are

    running as a non-privileged user.  This is often a configurable option.

    See the documentation for your httpd distribution for more details.



    Numerous resources relating to WWW security are available.  The following

    pages may provide a useful starting point.  They include links describing

    general WWW security, secure httpd setup and secure CGI programming.



        The World Wide Web Security FAQ:

                http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html



        NSCA's "Security Concerns on the Web" Page:

                http://hoohoo.ncsa.uiuc.edu/security/



    The following books contain useful information including sections on

    secure programming techniques.



        "Web Security Sourcebook", Aviel Rubin, Daniel Geer and Marcus Ranum,

        John Wiley & Sons, Inc., 1997.



        "Practical Unix & Internet Security", Simson Garfinkel and

        Gene Spafford, 2nd edition, O'Reilly and Associates, 1996.



    Please note that the URLs and books referenced in this advisory are

    not under AUSCERT's control and therefore AUSCERT cannot be responsible

    for their availability or content.



- - ---------------------------------------------------------------------------

AUSCERT thanks Muhammad Muquit for his assistance in the preparation of

this advisory.

- - ---------------------------------------------------------------------------



If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in the Forum of Incident Response

and Security Teams (see http://www.first.org/team-info/)





CERT/CC Contact Information

- ----------------------------

Email    cert@cert.org



Phone    +1 412-268-7090 (24-hour hotline)

                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)

                and are on call for emergencies during other hours.



Fax      +1 412-268-6989



Postal address

         CERT Coordination Center

         Software Engineering Institute

         Carnegie Mellon University

         Pittsburgh PA 15213-3890

         USA



Using encryption

   We strongly urge you to encrypt sensitive information sent by email. We can

   support a shared DES key or PGP. Contact the CERT/CC for more information.

   Location of CERT PGP key

         http://info.cert.org/pub/CERT_PGP.key



Getting security information

   CERT publications and other security information are available from

        http://www.cert.org/

        http://info.cert.org/pub/







   CERT advisories and bulletins are also posted on the USENET newsgroup

        comp.security.announce



   To be added to our mailing list for advisories and bulletins, send

   email to

        cert-advisory-request@cert.org

   In the subject line, type

        SUBSCRIBE  your-email-address



- ---------------------------------------------------------------------------

Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.



*CERT is registered in the U.S. Patent and Trademark Office.

- ---------------------------------------------------------------------------



This file: http://info.cert.org/pub/cert_advisories/CA-97.24.Count_cgi

           http://www.cert.org

               click on "CERT Advisories"



========================================================================

UPDATES



November 14, 1997

- -----------------



CERT/CC received word that the URL for NSCA's "Security Concerns on

the Web" in the AUSCERT advisory was not correct and should be changed

to the following URL:



        http://hoohoo.ncsa.uiuc.edu/security-1.0/



Our thanks to Zachary Uram at Carnegie Mellon University for bringing

this to our attention.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Revision history



Nov. 14, 1997 - UPDATES: Corrected a URL.



-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBTAMFr9kb5qlZHQEQIJHACghcQ3oqMvj7yTy/T8jRb9yWFtvxEAn2So

UBJzo8pkits4vioXFgfsbB0e

=pGCl

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.