Neperos
SIGN IN
Copy Link
Add to Bookmark
Report

CERT Advisory 144

eZine's profile picture
eZine lover (@eZine)
Published in 
CERT Advisory
 · 28 Dec 2019

  

 
-----BEGIN PGP SIGNED MESSAGE----- 

============================================================================= 
CERT* Advisory CA-97.12 
Original issue date: May 6, 1997 
Last revised: May 7, 1997 
              Introduction - Corrected the AUSCERT advisory number. 
              Acknowledgments - Corrected the AUSCERT advisory number 
                and removed a company name. 

Topic: Vulnerability in webdist.cgi 
- ----------------------------------------------------------------------------- 

The CERT Coordination Center has received reports of a security 
vulnerability in the webdist.cgi cgi-bin program, part of the IRIX 
Mindshare Out Box package, available with IRIX 5.x and 6.x. By exploiting 
this vulnerability, both local and remote users may be able to execute 
arbitrary commands with the privileges of the httpd daemon. This may be 
used to compromise the http server and under certain configurations gain 
privileged access. 

Currently there are no official vendor patches available which address the 
vulnerability described in this advisory. We recommend that sites prevent 
the exploitation of this vulnerability by immediately applying the workaround 
given in Section III.A. If the package is not required, we recommend 
removing it from their systems. 

When patches are made available, they should be applied as soon as possible. 

We will update this advisory as we receive additional information. 
Please check our advisory files regularly for updates that relate to your 
site. 

Note: Development of this advisory was a joint effort of the CERT Coordination 
      Center and AUSCERT. This material was also released as AUSCERT advisory 
      AA-97.14. 
- ----------------------------------------------------------------------------- 

I.   Description 

     A security vulnerability has been reported in the webdist.cgi cgi-bin 
     program available with IRIX 5.x and 6.x. webdist.cgi is part of the 
     IRIX Mindshare Out Box software package, which allows users to install 
     software over a network via a World Wide Web interface. 

     webdist.cgi allows webdist(1) to be used via an HTML form interface 
     defined in the file webdist.html, which is installed in the default 
     document root directories for both the Netsite and Out Box servers. 

     Due to insufficient checking of the arguments passed to webdist.cgi, it 
     may be possible to execute arbitrary commands with the privileges of 
     the httpd daemon. This is done via the webdist program. 

     When installed, webdist.cgi is accessible by anyone who can connect to 
     the httpd daemon. Because of this, the vulnerability may be exploited by 
     remote users as well as local users. Even if a site's webserver is 
     behind a firewall, it may still be vulnerable. 

     Determining if your site is vulnerable 
     -------------------------------------- 
     All sites are encouraged to check their systems for the IRIX Mindshare 
     Out Box software package, and in particular the Webdist Software 
     package which is a subsystem of the Mindshare Out Box software 
     package. To determine if this package is installed, use the command: 

     # versions outbox.sw.webdist 

     I = Installed, R = Removed 

     Name                   Date        Description 

     I outbox               11/06/96    Outbox Environment, 1.2 
     I outbox.sw            11/06/96    Outbox End-User Software, 1.2 
     I outbox.sw.webdist    11/06/96    Web Software Distribution Tools, 1.2 

 
II.  Impact 

     Local and remote users may be able to execute arbitrary commands on 
     the HTTP server with the privileges of the httpd daemon. This may be 
     used to compromise the http server and under certain configurations 
     gain privileged access. 

 
III. Solution 

     Currently there are no official vendor patches available which address 
     the vulnerability described in this advisory. We recommend that 
     sites prevent the exploitation of this vulnerability by immediately 
     applying the workaround given in Section III.A or removing the 
     package from their systems (Section III.B). 

     When patches are available, we recommend that sites apply them 
     as soon as possible. 

 
     A. Remove execute permissions 

     Sites should immediately remove the execute permissions on the 
     webdist.cgi program to prevent its exploitation. By default, webdist.cgi 
     is found in /var/www/cgi-bin/, but sites should check all cgi-bin 
     directories for this program. 

        # ls -l /var/www/cgi-bin/webdist.cgi 
        -rwxr-xr-x  1 root  sys  4438 Nov  6 12:44 /var/www/cgi-bin/webdist.cgi 

        # chmod 400 /var/www/cgi-bin/webdist.cgi 

        # ls -l /var/www/cgi-bin/webdist.cgi 
        -r--------  1 root  sys  4438 Nov  6 12:44 /var/www/cgi-bin/webdist.cgi 

 
     Note that this will prevent all users from using the webdist 
     program from the HTML form interface. 

 
     B. Remove outbox.sw.webdist subsystem 

     If the Webdist software is not required, we recommend that sites remove 
     it completely from their systems. This can be done with the command: 

        # versions remove outbox.sw.webdist 

     Sites can check that the package has been removed with the command: 

        # versions outbox.sw.webdist 

 
IV.  Additional Measures 

    Sites should consider taking this opportunity to examine their entire 
    httpd configuration. In particular, all CGI programs that are not 
    required should be removed, and all those remaining should be examined 
    for possible security vulnerabilities. 

    It is also important to ensure that all child processes of httpd are 
    running as a non-privileged user. This is often a configurable option. 
    See the documentation for your httpd distribution for more details. 

    Numerous resources relating to WWW security are available. The following 
    pages may provide a useful starting point. They include links describing 
    general WWW security, secure httpd setup, and secure CGI programming. 

        The World Wide Web Security FAQ: 
                http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html 

        NSCA's "Security Concerns on the Web" Page: 
                http://hoohoo.ncsa.uiuc.edu/security/ 

    The following book contains useful information including sections on 
    secure programming techniques. 

        _Practical Unix & Internet Security_, Simson Garfinkel and 
        Gene Spafford, 2nd edition, O'Reilly and Associates, 1996. 

    Please note that the CERT/CC and AUSCERT do not endorse the URLs that 
    appear above. If you have any problems with these sites, please contact 
    the site administrator. 

 
- ----------------------------------------------------------------------------- 
This advisory is a collaborative effort between AUSCERT and the CERT 
Coordination Center. This material was also released as AUSCERT advisory 
AA-97.14. 

We thank Yuri Volobuev for reporting this problem. We also thank Martin 
Nicholls (The University of Queensland) and Ian Farquhar for their assistance 
in further understanding this problem and its solution. 
- ----------------------------------------------------------------------------- 

If you believe that your system has been compromised, contact the CERT 
Coordination Center or your representative in the Forum of Incident Response 
and Security Teams (see http://www.first.org/team-info/) 

 
CERT/CC Contact Information 
- ---------------------------- 
Email    cert@cert.org 

Phone    +1 412-268-7090 (24-hour hotline) 
                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4) 
                and are on call for emergencies during other hours. 

Fax      +1 412-268-6989 

Postal address 
         CERT Coordination Center 
         Software Engineering Institute 
         Carnegie Mellon University 
         Pittsburgh PA 15213-3890 
         USA 

Using encryption 
   We strongly urge you to encrypt sensitive information sent by email. We can 
   support a shared DES key or PGP. Contact the CERT/CC for more information. 
   Location of CERT PGP key 
         ftp://info.cert.org/pub/CERT_PGP.key 

Getting security information 
   CERT publications and other security information are available from 
        http://www.cert.org/ 
        ftp://info.cert.org/pub/ 

   CERT advisories and bulletins are also posted on the USENET newsgroup 
        comp.security.announce 

   To be added to our mailing list for advisories and bulletins, send 
   email to 
        cert-advisory-request@cert.org 
   In the subject line, type 
        SUBSCRIBE  your-email-address 

- --------------------------------------------------------------------------- 
* Registered U.S. Patent and Trademark Office. 

Copyright 1997 Carnegie Mellon University 
This material may be reproduced and distributed without permission provided 
it is used for noncommercial purposes and the copyright statement is 
included. 

The CERT Coordination Center is part of the Software Engineering Institute 
(SEI). The SEI is sponsored by the U.S. Department of Defense. 
- --------------------------------------------------------------------------- 

This file: ftp://info.cert.org/pub/cert_advisories/CA-97.12.webdist 
           http://www.cert.org 
               click on "CERT Advisories" 

 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Revision history 

May 07, 1997  Introduction - Corrected the AUSCERT advisory number. 
              Acknowledgments - Corrected the AUSCERT advisory number 
                and removed a company name. 

 

 
-----BEGIN PGP SIGNATURE----- 
Version: 2.6.2 

iQCVAwUBM2/KU3VP+x0t4w7BAQGFMwP+Jnkc1P918RhF5HXa1itPn7z/Diz8VRTG 
hIugc9pMWsLtX2ibmxfAlZKB1oQyRLu/hDfvwqy83x8aqde3IWkwnIYUEnK8o1Gr 
hTrsD/iZ7VZUs59FHqZGy1htBdIy9xTIPVs+8a0gHrZTb0SYiNdhVzwCvr+Hbp5I 
M2alMpn2TUE= 
=A7Vq 
-----END PGP SIGNATURE-----

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

guest's profile picture
@guest
26 Apr 2024
Situs Sabung Ayam Digmaan
guest's profile picture
@guest
25 Apr 2024
Sabung Ayam Online
guest's profile picture
@guest
25 Apr 2024
good
guest's profile picture
@guest
25 Apr 2024
You're doing an exceptional job at archiving all the ezines! Your meticulous attention to detail helps preserve important information fo ...
guest's profile picture
@guest
25 Apr 2024
I am absolutely assured of it.
guest's profile picture
@guest
25 Apr 2024
What talented idea
Francesco's profile picture
Francesco Arca (@Francesco)
24 Apr 2024
A closer view of the "face"
DrWatson's profile picture
@DrWatson
24 Apr 2024
The face was clearly crafted by the ancient people of Atlantis!
guest's profile picture
@guest
24 Apr 2024
cool
guest's profile picture
@guest
24 Apr 2024
I played quake a lot. Was my favorite game.
a Francesco Arca production 2016 - 2024
Terms of Service - Privacy Policy
Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT