-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= AA-96.01 AUSCERT Advisory 14 March 1996 Vulnerability in NCSA/Apache CGI example code Last Revised: 24 September, 1996 Updated patched version information Added probe detection notes A complete revision history is at the end of this file. - ----------------------------------------------------------------------------- The Australian Computer Emergency Response Team (AUSCERT) has received information that example CGI code, as found in the NCSA 1.5a-export and APACHE 1.0.3 httpd (and possibly previous distributions of both servers), contains a security vulnerability. Programs using this code may be vulnerable to attack. The CGI program "phf", included with those distributions, is an example of such a vulnerable program. This program may have been installed as part of the installation process for the httpd. AUSCERT recommends that sites that have installed any CGI program incorporating the vulnerable code (such as "phf") apply one of the workarounds as described in Section 3. - ----------------------------------------------------------------------------- 1. Description A security vulnerability has been reported in example CGI code, as provided with the NCSA httpd 1.5a-export and APACHE httpd 1.0.3 (and possibly previous distributions of both servers). The example code contains a library function escape_shell_cmd() (in cgi-src/util.c). This function, which attempts to prevent exploitation of shell-based library calls, such as system() and popen(), contains a vulnerability. It fails to detect the newline shell meta-character. Any program which relies on escape_shell_cmd() to prevent exploitation of shell-based library calls may be vulnerable to attack. In particular, this includes the "phf" program which is also distributed with the example code. Some sites may have installed phf by default, even though it is not required to run httpd successfully. Any vulnerable program which is installed as a CGI application may allow unauthorised activity on the HTTP server. Any HTTP server (not limited to NCSA or Apache) which has installed CGI programs which rely on escape_shell_cmd() may be vulnerable to attack. To test whether your site has been probed using this vulnerability, search for the newline character in your access logs. An example of how to do this is: grep -i '%0a' {WWW_HOME}/logs/access_log If this command returns anything, further investigation is necessary. If sites find any evidence showing that they have been probed using this method, they are encouraged to report the incident to AUSCERT. Reports of all attacks help AUSCERT gain a better overview of intruder activity within the constituency. Sites which have the source code to their CGI applications available can determine whether their applications may be vulnerable by examining the source for usage of the escape_shell_cmd() function which is defined in cgi-src/util.c. Sites which do not have the source code for their CGI applications should contact the distributors of the applications for more information. It is important to note that attacks similar to this may succeed against any CGI program which has not been written with due consideration for security. Sites using HTTP servers, and in particular CGI applications, are encouraged to develop an understanding of the security issues involved. References in Section 4 provide some initial pointers in this area. 2. Impact A remote user may retrieve any world readable files, execute arbitrary commands and create files on the server with the privileges of the httpd process which answers HTTP requests. This may be used to compromise the http server and under certain configurations gain privileged access. 3. Workarounds The use of certain C library calls (including system() and popen()) in security critical code (such as CGI programs) has been a notorious source of security vulnerabilities. Good security coding practice usually dictates that easily exploitable system or library calls should not be used. While secure CGI coding techniques are beyond the scope of this advisory many useful guidelines are available. Sites planning to install or write their own CGI programs are encouraged to read the references in Section 4 first. 3.1. Remove CGI programs Any CGI program which uses the escape_shell_cmd() function and is not required should be disabled. This may be accomplished by removing execute permissions from the program or removing the program itself. In particular, sites which have installed the "phf" program and do not require it should disable it. The "phf" program is not required to run httpd successfully. Sites requiring "phf" functionality should apply one of the workarounds given in sections 3.2 and 3.3. 3.2. Rewrite CGI programs The intent of the escape_shell_cmd() function is to prevent passing shell meta-characters to susceptible library calls. A more secure approach is to avoid the use of these library calls entirely. AUSCERT recommends that sites which are currently using CGI programs which use shell-based library calls (such as system() and popen()) consider rewriting these programs to remove direct calls to easily compromised library functions. Sites should note that this is only one aspect of secure programming practice. More details on this approach and other guidelines for secure CGI programming may be found in the references in Section 4. 3.3. Recompile CGI programs with patched util.c The vulnerability described in this advisory was first patched in NCSA httpd 1.5.1 and Apache httpd 1.0.4. Sites using any programs requiring the escape_shell_cmd() function should download the current version of the chosen httpd and recompile such programs. The current NCSA distribution can be found at: ftp://ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/current/ The current Apache distribution can be found at: ftp://www.apache.org/apache/dist/ 4. Additional measures Sites should consider taking this opportunity to examine their httpd configuration. In particular, all CGI programs that are not required should be removed, and all those remaining should be examined for possible security vulnerabilities. It is also important to ensure that all child processes of httpd are running as a non-privileged user. This is often a configurable option. See the documentation for your httpd distribution for more details. Numerous resources relating to WWW security are available. The following pages provide a useful starting point. They include links describing general WWW security, secure httpd setup and secure CGI programming. The World Wide Web Security FAQ: http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html NSCA's "Security Concerns on the Web" Page: http://hoohoo.ncsa.uiuc.edu/security/ The following book contains useful information including sections on secure programming techniques. "Practical Unix & Internet Security", Simson Garfinkel and Gene Spafford, 2nd edition, O'Reilly and Associates, 1996. Please note that the URLs referenced in this advisory are not under AUSCERT's control and therefore AUSCERT cannot be responsible for their availability or content. Please contact the administrator of the site in question if you encounter any difficulties with the above sites. - ---------------------------------------------------------------------------- AUSCERT thanks Jeff Uphoff of NRAO, IBM-ERS, NASIRC and Wolfgang Ley of DFN-CERT for their assistance. - ---------------------------------------------------------------------------- The AUSCERT team have made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AUSCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team c/- Prentice Centre The University of Queensland Brisbane Qld. 4072. AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History Sept 24, 1996 New version information added for both NCSA and Apache HTTP Daemons. Information on how to test if you have been probed using this vulnerability. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBMkezFih9+71yA2DNAQFgIQP/bK3B4tukBWJw4neWb+trPAbwbMp+nxO2 scqgpZtaNP1nz5L84YnFDgsz5YyPQwo38g3KqUQ0w3VtLZJGf8d3mOFFVm6ryBao vZrRei3jZ0yKghMeXAN9QEJtLLLI7frSUXVWFBp/sBTx2GGLqdjxOcLkRDjoYYdA E9FXYLdEJMA= =4CeM -----END PGP SIGNATURE-----