View Source

Original issue date: May 6, 1997<BR>
Last revised: September 26, 1997<BR>
Updated copyright statement

<P>A complete revision history is at the end of this file.

<P>The CERT Coordination Center has received reports of a security
vulnerability in the webdist.cgi cgi-bin program, part of the IRIX
Mindshare Out Box package, available with IRIX 5.x and 6.x. By
exploiting this vulnerability, both local and remote users may be able
to execute arbitrary commands with the privileges of the httpd
daemon. This may be used to compromise the http server and under
certain configurations gain privileged access.

<P>Vendor patches are now available from Silicon Graphics Inc. We
encourage you to apply patches as soon as possible. For more
information, refer to the Silicon Graphics Inc. Security Advisory
Number 19970501-02-PX.

<P>The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its
mirror, ftp.sgi.com. Security information and patches can be found in
the ~ftp/security and ~ftp/patches directories, respectively.

<P>We will update this advisory as we receive additional
information. Please check our advisory files regularly for updates
that relate to your site.

<P>Note: Development of this advisory was a joint effort of the CERT
Coordination Center and AUSCERT. This material was also released as
AUSCERT advisory AA-97.14.

<P><HR>
<H2>I. Description</H2>

<P>A security vulnerability has been reported in the webdist.cgi
cgi-bin program available with IRIX 5.x and 6.x. webdist.cgi is part
of the IRIX Mindshare Out Box software package, which allows users to
install software over a network via a World Wide Web interface.

<P>webdist.cgi allows <I>webdist(1)</I> to be used via an HTML form
interface defined in the file webdist.html, which is installed in the
default document root directories for both the Netsite and Out Box
servers.

<P>Due to insufficient checking of the arguments passed to
webdist.cgi, it may be possible to execute arbitrary commands with the
privileges of the httpd daemon. This is done via the webdist program.

<P>When installed, webdist.cgi is accessible by anyone who can connect
to the httpd daemon. Because of this, the vulnerability may be
exploited by remote users as well as local users. Even if a site's
webserver is behind a firewall, it may still be vulnerable.

<H4>Determining if your site is vulnerable</H4>
All sites are encouraged to check their systems for the IRIX Mindshare
Out Box software package, and in particular the Webdist Software package
which is a subsystem of the Mindshare Out Box software package. To determine
if this package is installed, use the command:

<P># versions outbox.sw.webdist

<P>I = Installed, R = Removed
<BR>
<TABLE BORDER=0 COLS=3 WIDTH="100%" NOSAVE >
<TR>
<TD>Name</TD>

<TD>Date</TD>

<TD>Description</TD>
</TR>

<TR>
<TD>I outbox</TD>

<TD>11/06/96</TD>

<TD>Outbox Environment, 1.2</TD>
</TR>

<TR>
<TD>I outbox.sw</TD>

<TD>11/06/96</TD>

<TD>Outbox End-User Software, 1.2</TD>
</TR>

<TR>
<TD>I outbox.sw.webdist</TD>

<TD>11/06/96</TD>

<TD>Web Software Distribution Tools, 1.2</TD>
</TR>
</TABLE>

<H2>II. Impact</H2>
Local and remote users may be able to execute arbitrary commands on the
HTTP server with the privileges of the httpd daemon. This may be used to
compromise the http server and under certain configurations gain privileged
access.
<BR>
<H2>III. Solution</H2>
Vendor patches are available from Silicon Graphics Inc. We encourage you
to apply patches as soon as possible. For more information, refer to the
Silicon Graphics Inc. Security Advisory Number 19970501-02-PX, which is
available from the SGI anonymous FTP site

<P><A HREF="ftp://sgigate.sgi.com">ftp://sgigate.sgi.com</A>

<P>or its mirror,

<P><A HREF="ftp://ftp.sgi.com">ftp://ftp.sgi.com</A>

<P>Security information and patches can be found in the ~ftp/security and
~ftp/patches directories, respectively.

<P>You can also prevent the exploitation of this vulnerability by applying
the workaround given in Section III.A or removing the package from your
systems (Section III.B).
<H3>A. Remove execute permissions</H3>
Sites should immediately remove the execute permissions on the webdist.cgi
program to prevent its exploitation. By default, webdist.cgi is found in
/var/www/cgi-bin/, but sites should check all cgi-bin directories for this
program.
<PRE># ls -l /var/www/cgi-bin/webdist.cgi
-rwxr-xr-x 1 root sys 4438 Nov 6 12:44 /var/www/cgi-bin/webdist.cgi</PRE>

<PRE># chmod 400 /var/www/cgi-bin/webdist.cgi</PRE>

<PRE># ls -l /var/www/cgi-bin/webdist.cgi
-r-------- 1 root sys 4438 Nov 6 12:44 /var/www/cgi-bin/webdist.cgi</PRE>
Note that this will prevent all users from using the webdist program from
the HTML form interface.
<H3>B. Remove outbox.sw.webdist subsystem</H3>
If the Webdist software is not required, we recommend that sites remove
it completely from their systems. This can be done with the command:

<P># versions remove outbox.sw.webdist

<P>Sites can check that the package has been removed with the command:

<P># versions outbox.sw.webdist
<BR>
<H2>IV. Additional Measures</H2>
Sites should consider taking this opportunity to examine their entire httpd
configuration. In particular, all CGI programs that are not required should
be removed, and all those remaining should be examined for possible security
vulnerabilities.

<P>It is also important to ensure that all child processes of httpd are
running as a non-privileged user. This is often a configurable option.
See the documentation for your httpd distribution for more details.

<P>Numerous resources relating to WWW security are available. The following
pages may provide a useful starting point. They include links describing
general WWW security, secure httpd setup, and secure CGI programming.

<P>The World Wide Web Security FAQ:

<P><A HREF="http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html">http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html</A>

<P>NSCA's "Security Concerns on the Web" Page:
<BR><A HREF="http://hoohoo.ncsa.uiuc.edu/security/">http://hoohoo.ncsa.uiuc.edu/security/</A>

<P>The following book contains useful information including sections on
secure programming techniques.

<P><I>Practical Unix &amp; Internet Security</I>, Simson Garfinkel and
Gene Spafford, 2nd edition, O'Reilly and Associates, 1996.

<P>Please note that the CERT/CC and AUSCERT do not endorse the URLs that
appear above. If you have any problems with these sites, please contact
the site administrator.

<P>This advisory is a collaborative effort between AUSCERT and the CERT
Coordination Center. This material was also released as AUSCERT advisory
AA-97.14.

<P><HR>
<BR>We thank Yuri Volobuev for reporting this problem. We also thank Martin
Nicholls (The University of Queensland) and Ian Farquhar for their assistance
in further understanding this problem and its solution.

<P><HR>

<P><HR>

<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1997 Carnegie Mellon University.</P>

<HR>

Revision History
<PRE>
Sep. 26, 1997   Updated copyright statement
May 07, 1997    Introduction - Corrected the AUSCERT advisory number.
                Acknowledgments - Corrected the AUSCERT advisory
	        number and removed a company name.
August 27, 1997 Introduction and Solution - Added patch information.
</PRE>