Original issue date: March 20, 1996<BR>
Last revised: September 24, 1997<BR>
Updated copyright statement
<P>A complete revision history is at the end of this file.
<P>The text of this advisory was originally released on March 14, 1996,
as AUSCERT Advisory AA-96.01, developed by the Australian Computer Emergency
Response Team. Because of the seriousness of the problem, we are reprinting
the AUSCERT advisory here with their permission. Only the contact information
at the end has changed: AUSCERT contact information has been replaced with
CERT/CC contact information.
<P>We will update this advisory as we receive additional information. Please
check advisory files regularly for updates that relate to your site.
<P>Note: The vulnerability described in this advisory is being actively
exploited.
<P><HR>
<BR>The Australian Computer Emergency Response Team (AUSCERT) has received
information that example CGI code, as found in the NCSA 1.5a-export and
APACHE 1.0.3 httpd (and possibly previous distributions of both servers),
contains a security vulnerability. Programs using this code may be vulnerable
to attack.
<P>The CGI program "phf", included with those distributions, is an example
of such a vulnerable program. This program may have been installed as part
of the installation process for the httpd.
<P>AUSCERT recommends that sites that have installed any CGI program incorporating
the vulnerable code (such as "phf") apply one of the workarounds as described
in Section 3.
<P><HR>
<H2>1. Description</H2>
A security vulnerability has been reported in example CGI code, as provided
with the NCSA httpd 1.5a-export and APACHE httpd 1.0.3 (and possibly previous
distributions of both servers). The example code contains a library function
escape_shell_cmd() (in cgi-src/util.c). This function, which attempts to
prevent exploitation of shell-based library calls, such as system() and
popen(), contains a vulnerability.
<P>Any program which relies on escape_shell_cmd() to prevent exploitation
of shell-based library calls may be vulnerable to attack.
<P>In particular, this includes the "phf" program which is also distributed
with the example code. Some sites may have installed phf by default, even
though it is not required to run httpd successfully.
<P>Any vulnerable program which is installed as a CGI application may allow
unauthorised activity on the HTTP server.
<P>Please note that this vulnerability is not in httpd itself, but in CGI
programs which rely on the supplied escape_shell_cmd() function. Any HTTP
server (not limited to NCSA or Apache) which has installed CGI programs
which rely on escape_shell_cmd() may be vulnerable to attack.
<P>Sites which have the source code to their CGI applications available
can determine whether their applications may be vulnerable by examining
the source for usage of the escape_shell_cmd() function which is defined
in cgi-src/util.c.
<P>Sites which do not have the source code for their CGI applications should
contact the distributors of the applications for more information.
<P>It is important to note that attacks similar to this may succeed against
any CGI program which has not been written with due consideration for security.
Sites using HTTP servers, and in particular CGI applications, are encouraged
to develop an understanding of the security issues involved. References
in Section 4 provide some initial pointers in this area.
<H2>2. Impact</H2>
A remote user may retrieve any world readable files, execute arbitrary
commands and create files on the server with the privileges of the httpd
process which answers HTTP requests. This may be used to compromise the
http server and under certain configurations gain privileged access.
<H2>3. Workarounds</H2>
The use of certain C library calls (including system() and popen()) in
security critical code (such as CGI programs) has been a notorious source
of security vulnerabilities. Good security coding practice usually dictates
that easily exploitable system or library calls should not be used. While
secure CGI coding techniques are beyond the scope of this advisory many
useful guidelines are available.
<P>Sites planning to install or write their own CGI programs are encouraged
to read the references in Section 4 first.
<H3>3.1. Remove CGI programs</H3>
Any CGI program which uses the escape_shell_cmd() function and is not required
should be disabled. This may be accomplished by removing execute permissions
from the program or removing the program itself.
<P>In particular, sites which have installed the "phf" program and do not
require it should disable it. The "phf" program is not required to run
httpd successfully. Sites requiring "phf" functionality should apply one
of the workarounds given in sections 3.2 and 3.3.
<H3>3.2. Rewrite CGI programs</H3>
The intent of the escape_shell_cmd() function is to prevent passing shell
meta-characters to susceptible library calls. A more secure approach is
to avoid the use of these library calls entirely.
<P>AUSCERT recommends that sites which are currently using CGI programs
which use shell-based library calls (such as system() and popen()) consider
rewriting these programs to remove direct calls to easily compromised library
functions.
<P>Sites should note that this is only one aspect of secure programming
practice. More details on this approach and other guidelines for secure
CGI programming may be found in the references in Section 4.
<H3>3.3. Recompile CGI programs with patched util.c</H3>
For sites that still wish to use programs using the escape_shell_cmd()
function, a patched version of cgi-src/util.c has been made available by
NCSA which addresses this particular vulnerability. The patched version
of util.c is available as part of the http1.5.1b3-export distribution.
This is available from:<A HREF="http://hoohoo.ncsa.uiuc.edu/beta-1.5"></A>
<P><A HREF="http://hoohoo.ncsa.uiuc.edu/beta-1.5">http://hoohoo.ncsa.uiuc.edu/beta-1.5</A>
<P>Please note that this is a beta-release of the NCSA httpd and is not
a stable version of the httpd. The patched version of cgi-src/util.c may
be used independently.
<P>CGI programs which are required and use the escape_shell_cmd() should
be recompiled with the new version of cgi-src/util.c and then reinstalled.
<P>Apache have reported that they intend to fix this vulnerability in a
future release. Until then the patched version of util.c as supplied in
the http1.5.1b3-export release should be compatible.
<H2>4. Additional measures</H2>
Sites should consider taking this opportunity to examine their httpd configuration.
In particular, all CGI programs that are not required should be removed,
and all those remaining should be examined for possible security vulnerabilities.
<P>It is also important to ensure that all child processes of httpd are
running as a non-privileged user. This is often a configurable option.
See the documentation for your httpd distribution for more details.
<P>Numerous resources relating to WWW security are available. The following
pages provide a useful starting point. They include links describing general
WWW security, secure httpd setup and secure CGI programming.
<UL>The World Wide Web Security FAQ:<BR>
<A HREF="http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html">http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html</A>
<P>NSCA's "Security Concerns on the Web" Page:<BR>
<A HREF="http://hoohoo.ncsa.uiuc.edu/security/">http://hoohoo.ncsa.uiuc.edu/security/</A></UL>
The following book contains useful information including sections on secure
programming techniques.
<UL><I>Practical Unix & Internet Security</I>, Simson Garfinkel and
Gene Spafford, 2nd edition, O'Reilly and Associates, 1996.</UL>
Please note that the URLs referenced in this advisory are not under AUSCERT's
control and therefore AUSCERT cannot be responsible for their availability or
content. Please contact the administrator of the site in question if you
encounter any difficulties with the above sites.
<P><HR>
<BR>AUSCERT thanks Jeff Uphoff of NRAO, IBM-ERS, NASIRC and Wolfgang Ley
of DFN-CERT for their assistance.
<BR>
<HR>
<P>The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the consequences
of applying the contents of this document.
<P><HR>
<P>
<H2>UPDATES</H2>
<P>Similar attacks may succeed against other cgi scripts if the scripts
are written without appropriate care regarding security issues. We encourage
sites to evaluate all programs in their cgi-bin directory and remove any
scripts that are not in active use.
<P>We would like to point out that along with "phf" we have received reports
that "php" programs are also being exploited.
<P>CERT/CC received the following update from NASIRC concerning the vulnerability
described in this advisory:
<H3>NEW INFORMATION</H3>
<P>The routine "escape_shell_cmd()" also occurs in the file "src/util.c".
Note that the files "cgi-src/util.c" and "src/util.c" are not identical,
however they both contain an identical copy of the routine "escape_shell_cmd()",
which has the vulnerability. The file "src/util.c" is used to build the
HTTP daemon, therefore the "newline" hole exists within the server.
<H3>PATCH</H3>
<P>The patch recommended by NCSA modifies the routine
<P>"escape_shell_cmd()" to expand the list of characters that it will
escape. In the routine "escape_shell_cmd()", the line:
<UL> if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){</UL>
<P>Must be changed to:
<UL>if(ind("&;`'\"|*?~<>^()[]{}$\\\n",cmd[x]) != -1){</UL>
<H3>NCSA HTTPD 1.5.1</H3>
Instead of patching the source, the most up-to-date version of NCSA
HTTPd source may be downloaded from:
<P><A HREF="ftp://ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/current/httpd_1.5.1-export_source.tar.Z">ftp://ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/current/httpd_1.5.1-export_source.tar.Z</A>
<P>MD5 (httpd_1.5.1-export_source.tar.Z) =
bcf1fd410b5839c51dc75816a155fbb8
<P><HR>
<P><HR>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1996, 1997 Carnegie Mellon University.</P>
<HR>
Revision History
<PRE>
Sep. 24, 1997 Updated copyright statement
June 4, 1997 Updates section - added information about other cgi programs
being exploited.
Aug. 30, 1996 Information previously in the README was inserted into
the advisory.
Apr. 17, 1996 Updates section - added new information provided by the
NASA Automated Systems Incident Response Capability (NASIRC).
</PRE>
|