Vulnerabilities in OmniHTTPd default installation
Overview
Two vulnerabilities exist within the 'statsconfig.pl' script that
comes with OmniHTTPd v2.07 and is installed by default. The first
allows a remote attacker to corrupt any file in the system. The second
allows arbitrary code to be inserted into '/cgi-bin/stats.pl'.
Details
Here is the offending code:
if ($FORM{'mostbrowsers'}) {
$mostbrowsers_str = '$most_browsers = "' .
$FORM{'mostbrowsers'} . '";';
}
...
unless (-f "$FORM{'cgidir'}/stats.prg") {
$error .= "<LI>Config couldn't find the file stats.prg in
your cgi-bin directory.";
[ exit(); ]
}
...
$cgifile = "$FORM{'cgidir'}/stats.pl";
$progfile = "$FORM{'cgidir'}/stats.prg";
open(CGI, "> $cgifile");
open(PROG, "$progfile");
print CGI "#!/usr/local/bin/perl5\n";
print CGI "#AutoConfiged by Statsconfig.pl\n\n";
print CGI
"$deflimit_str\n$mostip_str\n$mostreq_str\n$mostbrowsers_str\n$timelog_str\n$mostipnum_str\n$mostreqf_str\n$mostbrowsernum_str\n$logloc_str\n$imagebar_str\n$serveradd_str\n$barwidth_str\n$barheight_str\n$listpass_str\n$bgcolor_str\n$bgimage_str\n$ttBGcolor_str\n\n$perllib_str\n";
...
None of the variables in %FORM are filtered. An attacker simply
sets $FORM{'cgidir'} to the absolute path of any file in the system
(padded with a null, of course), and that file will be corrupted. Note
that because absolute file names are used, this exploit is not
restricted to the drive the webserver resides on.
Code injection is achieved by setting $FORM{'mostbrowsers'} to any
legal value, followed by a semicolon and the payload.
Exploit
I've written an exploit in PERL to demonstrate the two vulnerabilities.
To corrupt a file:
perl omnismash.pl localhost 80 -corrupt c:/autoexec.bak
The file you choose will be overwritten with approximately 470
bytes of PERL code.
To inject code into '/cgi-bin/stats.pl':
perl omnismash.pl localhost 80 -inject c:/httpd/cgi-bin
You must pass the absolute path to the cgi-bin directory for this
to work. This exploit is hard-coded to insert the following line:
if( $ENV{'QUERY_STRING'} ) { open( QS,$ENV{'QUERY_STRING'} ); }
With that done, point your browser to
'http://localhost/cgi-bin/stats.pl?|dir'. You will see a directory
listing of '/cgi-bin'.
Solution
Erase 'statsconfig.pl' along with any other unnecessary files in your
'cgi-bin'. If this is not possible in your particular situation,
replace your current 'statsconfig.pl' file with the attached
'statsconfig.fixed' file. This version allows 'statsconfig.pl' to be
invoked only from localhost.
Vendor Status
Omnicron Technologies Corporation was notified via
<[EMAIL PROTECTED]> and <[EMAIL PROTECTED]> on Monday,
January 8, 2001. No reply was received.
Free, encrypted, secure Web-based email at www.hushmail.com
2000.01.08.OmniHTTPd.zip
