Date: Thu, 2 Aug 2001 01:09:42 +0200 (CEST)
From: Maurycy Prodeus <email@example.com>
Subject: suse: sdbsearch.cgi vulnerability
I found weakness in sdbsearch.cgi script which is a part of Suse distribution.
This is perl script and since Suse 7.1 they have introduced some form of
protection (interpreter is called with tainting checking). However, I think
it isn't enough and this bug still may produce danger.
Sdbsearch.cgi trusts content of HTTP_REFERER variable which is set by client
side during http's requests. Piece of this data is used to locating file with
keywords and referenced files. If there is possiblity to put such file
on attacked host (i.e. upload through ftpd) with special content, sdbsearch
will use open() to get access to match files. So we can make standard open()
pipe based attack (only without -T option). Name of uploaded file has to
be "keylist.txt" because we manipulate only on pathname, using double dots.
Proof of concept is very simple, just create harmful keylist.txt for instance
in /tmp directory and send request to http server like this:
GET /cgi-bin/sdbsearch.cgi?stichwort=keyword HTTP/1.0
(very deep traversal because we don't know what is DOCUMENT_ROOT)
and an example content of our /tmp/keylist.txt create like this:
$ echo -e "keyword\0touch exploitable|" > /tmp/keylist.txt
After successful attempt there will be "exploitable" file in /tmp directory.
Suse 6.x 7.x (7.1 and 7.2 have tainting protection, but even then
we can pass sdbsearch files which shouldn't be read)
Just filter HTTP_REFERER variable.
popl %ecx ----== http://z33d.eth-security.net ==----