PDA

Bekijk Volledige Versie : Multiple cgihtml vulnerabilities



Chris Leishman
22/01/03, 01:21
--PNTmBPCT7hxwcZjr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Overview
--------

cgihtml is a collection of routines for parsing World Wide Web (WWW)
Common Gateway Interface (CGI) input and outputting HyperText Markup
Language (HTML).

http://www.eekim.com/software/cgihtml/

According to the authors website, it has potentially been used in the
implementation of everything from individual home pages to large
e-commerce sites.

It was written by Eugene Eric Kim <eekim@eekim.com>, also the
publisher of the 'CGI Developer's Guide'.


Vulnerabilities
--------------

These vulnerabilities were discovered in the current release of
cgihtml, version 1.69.

== Unsafe temporary file usage

The most obvious error is that, when handling form uploads (content
type 'multipart/form-data'), cgihtml attempts to create a file in the
system /tmp directory (or other directory if configured) using the
name provided by the user agent, without doing any checks on the
filename. This allows the useragent to trivially write to any file
outside /tmp by using a filename with a path containing '../'.

== Unsafe temporary file creation

The way the temporary file is created is also insecure and could be
exploited locally (using symlink attacks or similar).

== Unsafe interpretation of content-length

cgihtml implicitly trusts the content length specified by the user
agent, and allocates memory based on that value in which to store the
post data. This is a trivial DOS.

== Unsafe memory management and assumption of input structure

I have noticed numerous points throughout the code where input is
handled insecurely, or the input format is assumed, which can allow
the user agent to cause bad memory accesses and most likely buffer
overflows. My brief investigation focused on the 'multipart/form-data'
processing, but I am assuming similar problems may exist outside this
section of the code.

As a example, it is assumed that header lines in multipart sections
will be structured such that the name of the section can be read
beginning at the 38th character of the line, and not attempt is made
to verify the buffer contains that amount of data.

== Notification

I have attempted to contact the author via his email address on the
10/12/2002, but have not received any reply.

== Exploit

I'm not going to provide any exploit code to take advantage of these
issues. However, below is an example user agent request that triggers
the first issue mentioned (unsafe temporary file usage).

=====request start
POST http://someserver.com/blah.cgi HTTP/1.0
User-Agent: Haxor
Content-Type: multipart/form-data; boundary=#123456789#multipart#boundary#1234567890#
Content-Length: 282

--#123456789#multipart#boundary#1234567890#
Content-Disposition: form-data; name="Haxor"; filename="../../../tmp/haxor.html"

<HTML>
<HEAD><TITLE>Haxor</TITLE></HEAD>
<BODY><H1>This page should not be here</H1></BODY>
</HTML>

--#123456789#multipart#boundary#1234567890#--
=====request end


Best Regards,
Chris Leishman

--PNTmBPCT7hxwcZjr
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj4aq+AACgkQlBjBIrTiQhkNsACePjB4U+y5DF GN3Y6GsTxZo2pD
K6EAn2evDxBuSb2J138neKHkOyFNCuox
=+gpD
-----END PGP SIGNATURE-----

--PNTmBPCT7hxwcZjr--