**************************************************************************
Security Bulletin 9724 DISA Defense Communications System
November 5, 1997 Published by: DISN Security Coordination Center
(SCC@NIC.MIL)
1-(800) 365-3642
The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil.
**************************************************************************
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
! !
! The following important advisory was issued by the Computer !
! Emergency Response Team (CERT) and is being relayed unedited !
! via the Defense Information Systems Agency's Security !
! Coordination Center distribution system as a means of !
! providing DISN subscribers with useful security information. !
! !
+ - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - +
===========================================================================
- -----------------------------------------------------------------------------
The text of this advisory was originally released on October 31, 1997, as AA-97.27, developed by the Australian Computer Emergency Response Team. To more widely broadcast this information, we are reprinting the AUSCERT advisory here with their permission. Only the contact information at the end has changed: AUSCERT contact information has been replaced with CERT/CC contact information.
We will update this advisory as we receive additional information.
Look for it in an "Updates" section at the end of the advisory.
=============================================================================
The Australian Computer Emergency Response Team (AUSCERT) has received information that a buffer overrun vulnerability exists in the Count.cgi cgi-bin program.
A new version of Count.cgi has been released addressing this vulnerability.
AUSCERT recommends that sites that have the Count.cgi cgi-bin program installed take the steps outlined in Section 3 as soon as possible.
- - ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the Count.cgi cgi-bin program. The Count.cgi cgi-bin program is used to record and display the number of times a WWW page has been accessed.
Due to insufficient bounds checking on arguments which are supplied by users, it is possible to overwrite the internal stack space of the Count.cgi program while it is executing. By supplying a carefully designed argument to the Count.cgi program, intruders may be able to force Count.cgi to execute arbitrary commands with the privileges of the httpd process.
The Count.cgi program is extremely widely used. Sites are encouraged to check for its existence and its possible exploitation.
To check whether exploitation of this vulnerability has been attempted at your site, search for accesses to the Count.cgi program in your access logs. An example of how to do this is:
# grep -i 'Count.cgi' {WWW_HOME}/logs/access_log
Where, {WWW_HOME} is the base directory for your web server.
If this command returns anything, further investigation is necessary. Specifically, look for accesses to Count.cgi that contain long strings of nonsensical characters.
If sites find any evidence showing that they have been probed using this vulnerability, they are encouraged to report the incident to AUSCERT or their local incident response team. Reports of all attacks help AUSCERT gain a better overview of intruder activity within the constituency.
Remote user may be able to execute arbitrary commands with the privileges of the httpd process which answers HTTP requests. This may be used to compromise the http server and under certain configurations gain privileged access.
AUSCERT recommends that sites upgrade to the current version of Count.cgi (Section 3.1). For sites that can not immediately install the current version of Count.cgi, it is recommended that the workaround described in Section 3.2 be applied.
The author of Count.cgi has recently released version 2.4 which addresses the vulnerability described in this advisory. AUSCERT recommends that sites upgrade to the latest version as soon as possible.
The current version is available from:
http://www.fccc.edu/users/muquit/Count.html
To prevent the exploitation of the vulnerability described in this advisory, AUSCERT recommends that the execute permissions be removed from Count.cgi immediately. Note that this will have the side effect of preventing the page hit counter from being incremented and displayed on web pages using Count.cgi. The remainder of such web pages should still display.
It is important to note that attacks similar to this may succeed against any CGI program which has not been written with due consideration for security. Sites using HTTP servers, and in particular CGI applications, are encouraged to develop an understanding of the security issues involved.
Sites should consider taking this opportunity to examine their httpd configuration and web servers. In particular, all CGI programs that are not required should be removed, and all those remaining should be examined for possible security vulnerabilities.
It is also important to ensure that all child processes of httpd are running as a non-privileged user. This is often a configurable option. See the documentation for your httpd distribution for more details.
Numerous resources relating to WWW security are available. The following pages may provide a useful starting point. They include links describing general WWW security, secure httpd setup and secure CGI programming.
The World Wide Web Security FAQ:
http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html
NSCA's "Security Concerns on the Web" Page:
http://hoohoo.ncsa.uiuc.edu/security/
The following books contain useful information including sections on secure programming techniques.
"Web Security Sourcebook", Aviel Rubin, Daniel Geer and Marcus Ranum, John Wiley & Sons, Inc., 1997.
"Practical Unix & Internet Security", Simson Garfinkel and Gene Spafford, 2nd edition, O'Reilly and Associates, 1996.
Please note that the URLs and books referenced in this advisory are not under AUSCERT's control and therefore AUSCERT cannot be responsible for their availability or content.
- - ---------------------------------------------------------------------------
AUSCERT thanks Muhammad Muquit for his assistance in the preparation of this advisory.
- - ---------------------------------------------------------------------------
If you believe that your system has been compromised,
contact the CERT Coordination Center or your representative in
the Forum of Incident Response and Security Teams (see http://www.first.org/team-info/)
- ----------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
and are on call for emergencies during
other hours.
Fax +1 412-268-6989
We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information.
ftp://info.cert.org/pub/CERT_PGP.key
CERT publications and other security information are available from
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
To be added to our mailing list for advisories and bulletins, send
email to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address
- ---------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line.
*CERT is registered in the U.S. Patent and Trademark Office.
- ---------------------------------------------------------------------------
This file: ftp://info.cert.org/pub/cert_advisories/CA-97.24.Count_cgi
http://www.cert.org
click on "CERT Advisories"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
****************************************************************************
* *
* *
* *
* *
* *
* *
* *
* *
****************************************************************************
PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts.
This document was prepared as an service to the DOD
community. Neither the United States Government nor any of their
employees, makes any warranty, expressed or implied, or assumes
any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, product, or process disclosed,
or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government.
The opinions of the authors expressed herein do not necessarily
state or reflect those of the United States Government, and shall
not be used for advertising or product endorsement purposes.