************************************************************************** Security Bulletin 9726 DISA Defense Communications System November 15, 1997 Published by: DISN Security Coordination Center (SCC@NIC.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil. ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT* Vendor-Initiated Bulletin VB-97.13 November 14, 1997 Topic: Vulnerability in GlimpseHTTP and WebGlimpse CGI scripts Source: Project FUSE, University of Arizona Related CERT documents: ftp://ftp.cert.org/pub/cert_advisories/CA-97.25.CGI_metachar ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from Project FUSE, University of Arizona. Project FUSE urges you to act on this information as soon as possible. Project FUSE contact information is included in the forwarded text below; please contact them if you have any questions or need further information. Please note that there is related information about these vulnerabilities in AUSCERT Advisory AA-97.28, "Vulnerability in GlimpseHTTP and WebGlimpse cgi-bin Packages", available from ftp.auscert.org.au/pub/auscert/advisory/AA-97.28.GlimpseHTTP.WebGlimpse.vuls =======================FORWARDED TEXT STARTS HERE============================ Problem: Vulnerability in GlimpseHTTP 2.0 and WebGlimpse versions prior to 1.5 I. Description A vulnerability exists in the GlimpseHTTP web search package. A related vulnerability exists in the WebGlimpse web search package prior to version 1.5 (the latest version). These packages are popular collections of tools that provide easy-to-use interface to Glimpse, an indexing and query system, to provide a search facility on web sites. Due to insufficient argument checking by some of GlimpseHTTP and older WebGlimpse routines, intruders may be able to force it to execute arbitrary commands with the privileges of the httpd process. Attacks against GlimpseHTTP using these vulnerabilities have been reported. Similar attacks have been reported on other scripts, and it is a good idea now to check all your CGI scripts. For more information see ftp://info.cert.org/pub/cert_advisories/CA-97.25.CGI_metachar ftp://info.cert.org/pub/tech_tips/cgi_metacharacters To check whether exploitation of this vulnerability has been attempted at your site, search for unusual accesses to aglimpse in your access logs. An example of how to do this is: # egrep 'aglimpse.*IFS' {WWW_HOME}/logs/access_log Where {WWW_HOME} is the base directory for your web server. If this command returns anything, further investigation is necessary. Up-to-date information regarding these vulnerabilities can be obtained from the authors of GlimpseHTTP and WebGlimpse at http://glimpse.cs.arizona.edu/security.html Although the attacks against GlimpseHTTP have focused on version 2.0, similar attacks may be possible on earlier versions. II. Impact Remote users may be able to execute arbitrary commands with the privileges of the httpd process which answers HTTP requests. This may be used to compromise the http server and under certain configurations gain privileged access. Current attacks concentrated on obtaining the /etc/passwd file on systems that do not provide shadow passwords. III. Solution The authors have decided to stop supporting GlimpseHTTP, and instead have released a new version (1.5) of WebGlimpse, which has most of the features of GlimpseHTTP and many more. Users of any version GlimpseHTTP are encouraged to upgrade to the new WebGlimpse. Users of earlier versions of WebGlimpse are also encouraged to upgrade, as version 1.5 is more robust and more secure. WebGlimpse can be found at http://glimpse.cs.arizona.edu/webglimpse/ For sites that cannot immediately install the current version of WebGlimpse, it is recommended that you disable the version of GlimpseHTTP or WebGlimpse you are using and use another script to interface to Glimpse. Questions to the authors can be directed to glimpse@cs.arizona.edu ========================FORWARDED TEXT ENDS HERE============================= If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). See http://www.first.org/team-info/. We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://ftp.cert.org/pub/CERT_PGP.key CERT Contact Information - - ------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA CERT publications, information about FIRST representatives, and other security-related information are available from http://www.cert.org/ ftp://ftp.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address * Registered U.S. Patent and Trademark Office. The CERT Coordination Center is part of the Software Engineering Institute (SEI). The SEI is sponsored by the U. S. Department of Defense. This file: ftp://ftp.cert.org/pub/cert_bulletins/VB-97.13.GlimpseHTTP.WebGlimpse -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNGzA2HVP+x0t4w7BAQFkxQP/dM5at0WZUagXtSh++qHoLNQgxbV9uITY HmIKiitRLq4WegFOEwoMeJCTQW3YwsnPuvEw+XY92cUNgmYuDeZKcXE9RXKHZ6df Ozg2a7iXke0THhYNxozzdj2WKBzfrC9aVL3BpiR7WLD1eIRzL2gmVC2iggcA22U1 Ow4SBS6caUY= =B4Ri -----END PGP SIGNATURE----- **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * ASSIST: * * * * E-mail address: ASSIST@ASSIST.MIL * * * * Telephone: 1-(800)-357-4231 (24 hours/day) * * * * You may also contact the Security Coordination Center (SCC) at the * * NIC: * * * * E-mail address: SCC@NIC.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.