rt-sa-2005-012.txt

` Advisory: Pico Server (pServ) Local Information Disclosure  
  
RedTeam found a local information disclosure vulnerability in Pico Server  
(pServ) which results in a local user reading all files on the server with  
pServ's permissions.  
  
Details  
=======  
  
Product: Pico Server (pServ)  
Affected Version: 3.3, 3.2(verified), < 3.2 probably too  
Immune Version: none  
OS affected: all  
Security-Risk: low  
Remote-Exploit: no  
Vendor-URL: http://pserv.sourceforge.net/  
Vendor-Status: informed  
Advisory-URL: http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-012  
Advisory-Status: published  
CVE: CAN-2005-1367  
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1367 #)  
  
  
  
  
Introduction  
============  
  
>From http://pserv.sourceforge.net/  
Pico Server is a small web server. It is meant to be portable and  
configurable.  
  
* small, portable  
* fast  
* CGI-BIN support  
* auto-indexing of directories  
* access and error logging (see p-reporter for an analyzer)  
* forking or single-connection at choice  
  
Pico Server (pServ) is written in portable C (K&R style so it can compile on  
older compilers too) and sports several options that by means of #define  
statements can customize the behavior, the performance and the feature set so  
to be able to fit better the the requisites.  
  
pServ follows symlinks without checking whether a symlink points outside the  
webroot.  
  
More Details  
============  
  
pServ does not distinguish normal files from symlinks. Unfortunately it does  
furthermore only check the link itself but not check if the symlink target is  
still in the webroot. That is why an attacker with access to a directory on  
the web server (e.g. via ftp) can put a symlink to any file on the server  
there. He can then retrieve that file (if pServe has the permission to read  
it) through the web server by navigating his browser to that link.  
  
Proof of Concept  
================  
  
Retrieving /etc/shadow if pServe runs as root:  
1. As user go to your web-directory e.g.: cd /usr/local/var/www/userdir  
2. Create a link to /etc/shadow: ln -s /etc/shadow  
3. Retrieve the shadow file by pointing your browser to  
http://vuln-host:2000/userdir/shadow  
  
Workaround  
==========  
  
pServe should run as a user with minimal privileges. Files that should not be  
read by unprivileged users should have their permissions set accordingly.  
  
Fix  
===  
  
The problem will not be fixed in the next version of pServ. From version 3.3  
on there is a hint in the readme file that informs of this issue.  
  
Security Risk  
=============  
  
The security risk is rated low because an attacker must already have access  
to the system. Also usually the administrator will run pServ with minimal  
privileges. On the other hand a user could place a link to some directory  
(e.g.: / ) without knowing what he is doing.  
  
History  
=======  
  
2005-04-29 found  
2005-05-02 first attempt to inform developers  
2005-05-02 CAN-number assigned  
2005-05-04 second attempt to inform developers  
2005-05-16 got the information that the problem will not be fixed. Advisory  
published.  
  
RedTeam  
=======  
  
RedTeam is a penetration testing group working at the Laboratory for  
Dependable Distributed Systems at RWTH-Aachen University. You can find more  
Information on the RedTeam Project at  
http://tsyklon.informatik.rwth-aachen.de/redteam/  
  
`