-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Vulnerability in webdist.cgi May 6, 1997 22:00 GMT Number H-53 ______________________________________________________________________________ PROBLEM: A vulnernability exists in the webdist.cgi cgi-bin program. PLATFORM: IRIX 5.x and 6.x running Mindshare Out Box package. DAMAGE: Both local and remote users may be able to execute arbitrary commands with the privileges of the httpd daemon. SOLUTION: Until patches are available, take the steps outlined in Section III as soon as possible. If the package is not required, it is recommended that sites remove it from their systems. ______________________________________________________________________________ VULNERABILITY Exploit details involving this vulnerability have been made ASSESSMENT: publicly available. ______________________________________________________________________________ [****** Start AUSCERT Advisory ******] =========================================================================== AA-97.14 AUSCERT Advisory SGI IRIX webdist.cgi Vulnerability 7 May 1997 Last Revised: -- - ---------------------------------------------------------------------------- AUSCERT has received information of a security vulnerability in the webdist.cgi cgi-bin program, part of the IRIX Mindshare Out Box package, available with IRIX 5.x and 6.x. By exploiting this vulnerability, both local and remote users may be able to execute arbitrary commands with the privileges of the httpd daemon. This may be used to compromise the http server and under certain configurations gain privileged access. Currently there are no official vendor patches available which address the vulnerability described in this advisory. We recommend that sites prevent the exploitation of this vulnerability by immediately applying the workaround given in Section 3.1. If the package is not required, we recommend removing it from their systems. When official vendor patches are made available, they should be applied as soon as possible. We will update this advisory as we receive additional information. Please check our advisory files regularly for updates that relate to your site. Note: Development of this advisory was a joint effort of the CERT Coordination Center and AUSCERT. This material was also released as CERT Advisory CA-97.12. - - --------------------------------------------------------------------------- 1. Description A security vulnerability has been reported in the webdist.cgi cgi-bin program available with IRIX 5.x and 6.x. webdist.cgi is part of the IRIX Mindshare Out Box software package, which allows users to install software over a network via a World Wide Web interface. webdist.cgi allows webdist(1) to be used via an HTML form interface defined in the file webdist.html, which is installed in the default document root directories for both the Netsite and Out Box servers. Due to insufficient checking of the arguments passed to webdist.cgi, it may be possible to execute arbitrary commands with the privileges of the httpd daemon. This is done via the webdist program. When installed, webdist.cgi is accessible by anyone who can connect to the httpd daemon. Because of this, the vulnerability may be exploited by remote users as well as local users. Even if a site's webserver is behind a firewall, it may still be vulnerable. Determining if your site is vulnerable -------------------------------------- All sites are encouraged to check their systems for the IRIX Mindshare Out Box software package, and in particular the Webdist Software package which is a subsystem of the Mindshare Out Box software package. To determine if this package is installed, use the command: # versions outbox.sw.webdist I = Installed, R = Removed Name Date Description I outbox 11/06/96 Outbox Environment, 1.2 I outbox.sw 11/06/96 Outbox End-User Software, 1.2 I outbox.sw.webdist 11/06/96 Web Software Distribution Tools, 1.2 2. Impact Local and remote users may be able to execute arbitrary commands on the HTTP server with the privileges of the httpd daemon. This may be used to compromise the http server and, under certain configurations, gain privileged access. 3. Workarounds/Solution Silicon Graphics Inc. has informed AUSCERT that they are aware of the vulnerability described in this advisory and are currently investigating the problem. There are no official vendor patches available at this time which address this vulnerability. We recommend that sites prevent the exploitation of this vulnerability by immediately applying the workaround given in Section 3.1, or removing the package from their systems (Section 3.2). When vendor patches are made available, we recommend that sites apply them as soon as possible. 3.1 Remove execute permissions Sites should immediately remove the execute permissions on the webdist.cgi program to prevent its exploitation. By default, webdist.cgi is found in /var/www/cgi-bin/, but sites should check all cgi-bin directories for this program. # ls -l /var/www/cgi-bin/webdist.cgi -rwxr-xr-x 1 root sys 4438 Nov 6 12:44 /var/www/cgi-bin/webdist.cgi # chmod 400 /var/www/cgi-bin/webdist.cgi # ls -l /var/www/cgi-bin/webdist.cgi -r-------- 1 root sys 4438 Nov 6 12:44 /var/www/cgi-bin/webdist.cgi Note that this will prevent all users from using the webdist program from the HTML form interface. 3.2 Remove outbox.sw.webdist subsystem If the Webdist software is not required, we recommend that sites remove it completely from their systems. This can be done with the command: # versions remove outbox.sw.webdist Sites can check that the package has been removed with the command: # versions outbox.sw.webdist 4. Additional Measures Sites should consider taking this opportunity to examine their entire httpd configuration. In particular, all CGI programs that are not required should be removed, and all those remaining should be examined for possible security vulnerabilities. It is also important to ensure that all child processes of httpd are running as a non-privileged user. This is often a configurable option. See the documentation for your httpd distribution for more details. Numerous resources relating to WWW security are available. The following pages may provide a useful starting point. They include links describing general WWW security, secure httpd setup, and secure CGI programming. The World Wide Web Security FAQ: http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html NSCA's "Security Concerns on the Web" Page: http://hoohoo.ncsa.uiuc.edu/security/ The following book contains useful information including sections on secure programming techniques. _Practical Unix & Internet Security_, Simson Garfinkel and Gene Spafford, 2nd edition, O'Reilly and Associates, 1996. Please note that the CERT/CC and AUSCERT do not endorse the URLs that appear above. If you have any problems with these sites, please contact the site administrator. - ------------------------------------------------------------------------------ This advisory is a collaborative effort between AUSCERT and the CERT Coordination Center. This material was also released as CERT Advisory CA-97.12. [****** End AUSCERT Advisory ******] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of AUSCERT, CERT, Yuri Volobuev, Martin Nicholls (The University of Queensland) & Ian Farquhar of Silicon Graphics, Inc. for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 510-422-8193 FAX: +1 510-423-8002 STU-III: +1 510-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://ciac.llnl.gov/ Anonymous FTP: ciac.llnl.gov (128.115.19.53) Modem access: +1 (510) 423-4753 (28.8K baud) +1 (510) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, ciac-notes, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov: subscribe list-name e.g., subscribe ciac-notes You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) H-45: Windows NT SAM permission Vulnerability H-46: Vulnerability in IMAP and POP H-47A: AOL4FREE.COM Trojan Horse Program Destroys Hard Drives H-48: Internet Information Server Vulnerability H-49: NLS Buffer Overflow Vulnerability H-22a: talkd Buffer Overrun Vulnerability H-29a: HP-UX sendmail Patches Vulnerability H-50: HP-UX SYN Flood and libXt patches H-51: Vulnerability in libXt H-52: IRIX csetup Program Vulnerability -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBM3d+S7nzJzdsy3QZAQHGoAQA/Fm/IHuyE+cRV9HYXgG4MosyG7MXVCIg Bt6U+9zx17OROcjPGAIWW3f9bHF/aQhZHMiSdAI69LIBUdEKnllL3OYyOP/fmx1e KpelPF16vZlDSlKayeFSaT3ZtzWK18AjqsOEbdNdzU+T+Ep5TQpeU7O6DIwcWKWF JZm9bnTagwM= =1eIR -----END PGP SIGNATURE-----