CORE SDI Inc.
http://www.core-sdi.com
Unixware SCOhelp http server format string vulnerability
Date Published: 09/27/00
Advisory ID: CORE-092700
Bugtraq ID: 1717
CVE CAN: None currently assigned.
Title: Unixware SCOhelp http server format string vulnerability
Class: Input validation error
Remotely Exploitable: Yes
Locally Exploitable: Yes
Vulnerability Description:
SCO Unixware 7 default installation includes scohelp, an http
server that listens on port 457/tcp and allows access to manual
pages and other documentation files. The search CGI script provided
for that purpose has a vulnerability that could allow any remote
attacker to execute arbitrary code on the vulnerable machine with
privileges of user "nobody".
This poses a threat that could result in the remote compromise of
the vulnerable host and provide a staging point from where an attacker
could escalate privileges.
Vulnerable Packages/Systems:
Unixware 7
Solution/Vendor Information/Workaround:
Contact the vendor for a fix
In the meantime, disabling the http server on port 457/tcp
will prevent exploitation of the vulnerability. However, this
will also make access to the documentation unavailable.
The following is a workaround supplied by the vendor:
To apply the workaround to your system you must:
1) Log into the system as root
2) cd /usr/ns-home/httpd-scohelphttp/search97
3) mkdir ./securebin
4) mv ./bin/vtopic ./securebin
#!/bin/sh
VERITYBIN=/usr/ns-home/httpd-scohelphttp/search97/bin
SECUREBIN=/usr/ns-home/httpd-scohelphttp/search97/securebin
configPath=$VERITYBIN/inetsrch.ini
export configPath
if [ -z "$QUERY_STRING" ]
then
POST=1
eval $VERITYBIN/cgiparse -init
else
POST=0
fi
if [ -z "$QUERY_STRING" ]
then
exit 1
fi
QUERY_STRING=echo "$QUERY_STRING" | sed "s/%25/+/g"
COUNT=$VERITYBIN/cgiparse -count -value ViewTemplate 2> /dev/null
if [ "$COUNT" -gt 1 ]
then
exit 1
fi
COUNT=$VERITYBIN/cgiparse -count -value ResultTemplate 2> /dev/null
if [ "$COUNT" -gt 1 ]
then
exit 1
fi
if echo "$QUERY_STRING" | egrep -i '&ViewTemplate=' > /dev/null 2>&1
then
MATCH=cgiparse -value ViewTemplate 2> /dev/null | egrep -i '[-A-Za-z0-9_.]+/_SearchTemplates/docview.hts'
if [ -z "$MATCH" ]
then
exit 1
fi
fi
if echo "$QUERY_STRING" | egrep -i '&ResultTemplate=' > /dev/null 2>&1
then
MATCH=cgiparse -value ResultTemplate 2> /dev/null | egrep -i '[-A-Za-z0-9_.]+/_SearchTemplates/result.hts'
if [ -z "$MATCH" ]
then
exit 1
fi
fi
6) chmod +x vtopic
This script acts as a wrapper to the vtopic binary and blocks
queries that can:
1) Allow a remote user to request to view a world readable file
like /etc/passwd
2) Cause a failure like the one described in your email to SCO.
Vendor notified on: September 11th, 2000
Credits:
This vulnerability was discovered by Juliano Rizzo of CORE SDI Inc.,
Buenos Aires, Argentina.
This advisory was drafted with the help of the SecurityFocus.com
Vulnerability Help Team. For more information or assistance drafting
advisories please mail [email protected].
Fix information and the workaround was provided by the SCO Security Group
It can be contacted at [email protected]
Technical Description - Exploit/Concept Code:
There is a user supplied format string bug in the vtopic CGI script that
could be abused to execute arbitrary code. By sending a request with the
following URI:
http://target:457/search97cgi/vtopic?Action=\
FilterSearch&filter=&queryText=%25x
Internal error: STR_sprintf: Invalid format (Error E1-0142 (Query
Builder): Invalid character '%' (0x25))
Result
Search failed: -40
Result
Error E1-0142 (Query Builder): Invalid character '
Result
Error E1-0130 (Query Builder): Syntax error in query string near
character 1
Result
Error E1-0133 (Query Builder): Error parsing query: 81888e0
Result
VdkSearchNew failed, error -40
Result
Request failed for REQUEST_METHOD=, QUERY_STRING=
Component
Component (vsearch) failed in processing request, -2
Action
Action (FilterSearch) failed while processing request in component
(vsearch), -2
Note the line:
Error E1-0133 (Query Builder): Error parsing query: 81888e0
This shows that the server is interpreting the %x argument passed in
the URI as the "queryText" value. Supplying a carefully built value for
the queryText argument an attacker can change the program flow and execute
arbitrary code.
DISCLAIMER:
The contents of this advisory are copyright (c) 2000 CORE SDI Inc. and may
be distributed freely provided that no fee is charged for this distribution
and proper credit is given.
"Understanding. A cerebral secretion that enables one having it to know
a house from a horse by the roof on the house,
It's nature and laws have been exhaustively expounded by Locke,
who rode a house, and Kant, who lived in a horse." - Ambrose Bierce
— For a personal reply use [email protected]